[PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v5.0.1:

  https://github.com/mdroth/qemu/commits/stable-5.0-staging

Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:

  https://wiki.qemu.org/Planning/5.0

Please respond here or CC qemu-stable@nongnu.org on any additional patches
you think should be included in the release.

Thanks!


----------------------------------------------------------------
Alexander Duyck (3):
      virtio-balloon: Prevent guest from starting a report when we didn't request one
      virtio-balloon: Add locking to prevent possible race when starting hinting
      virtio-balloon: Replace free page hinting references to 'report' with 'hint'

Alistair Francis (1):
      hw/riscv: Allow 64 bit access to SiFive CLINT

Allan Peramaki (1):
      hw/audio/gus: Fix registers 32-bit access

Andrew Melnychenko (1):
      virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.

Christian Schoenebeck (1):
      xen-9pfs: Fix log messages of reply errors

Cornelia Huck (3):
      linux-headers: update against Linux 5.7-rc3
      virtio: list legacy-capable devices
      virtio: verify that legacy support is not accidentally on

Dan Robertson (1):
      9pfs: include linux/limits.h for XATTR_SIZE_MAX

David Hildenbrand (4):
      virtio-balloon: fix free page hinting without an iothread
      virtio-balloon: fix free page hinting check on unrealize
      virtio-balloon: unref the iothread when unrealizing
      virtio-balloon: always indicate S_DONE when migration fails

Eric Blake (4):
      nbd/server: Avoid long error message assertions CVE-2020-10761
      block: Call attention to truncation of long NBD exports
      nbd: Avoid off-by-one in long export name truncation
      nbd: Fix large trim/zero requests

Gerd Hoffmann (1):
      usb: fix setup_len init (CVE-2020-14364)

Graeme Gregory (1):
      hw/arm/sbsa-ref: fix typo breaking PCIe IRQs

Greg Kurz (1):
      9p: Lock directory streams with a CoMutex

Helge Deller (2):
      Fix tulip breakage
      hw/display/artist: Unbreak size mismatch memory accesses

Igor Mammedov (1):
      hostmem: don't use mbind() if host-nodes is empty

Jason Wang (1):
      net: use peer when purging queue in qemu_flush_or_purge_queue_packets()

Kevin Wolf (1):
      iotests/283: Use consistent size for source and target

Laurent Vivier (1):
      xhci: fix valid.max_access_size to access address registers

Liu Yi L (1):
      intel_iommu: Use correct shift for 256 bits qi descriptor

Marc-André Lureau (1):
      qga: fix assert regression on guest-shutdown

Mark Cave-Ayland (1):
      Update OpenBIOS images to 7f28286f built from submodule.

Markus Armbruster (4):
      net/virtio: Fix failover_replug_primary() return value regression
      error: Use error_reportf_err() where appropriate
      usb/dev-mtp: Fix Error double free after inotify failure
      qdev: Fix device_add DRIVER,help to print to monitor

Max Reitz (3):
      virtiofsd: Whitelist fchmod
      block: Fix bdrv_aligned_p*v() for qiov_offset != 0
      iotests/028: Add test for cross-base-EOF reads

Michael S. Tsirkin (1):
      memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

Michael Tokarev (1):
      acpi: accept byte and word access to core ACPI registers

Michal Privoznik (2):
      util: Introduce qemu_get_host_name()
      qga: Use qemu_get_host_name() instead of g_get_host_name()

Niek Linnenbank (1):
      docs/orangepi: Add instructions for resizing SD image to power of two

Omar Sandoval (1):
      9pfs: local: ignore O_NOATIME if we don't have permissions

Paolo Bonzini (3):
      KVM: x86: believe what KVM says about WAITPKG
      libqos: usb-hcd-ehci: use 32-bit write for config register
      libqos: pci-pc: use 32-bit write for EJ register

Pavel Dovgaluk (3):
      tests/acceptance: allow console interaction with specific VMs
      tests/acceptance: refactor boot_linux to allow code reuse
      tests/acceptance: refactor boot_linux_console test to allow code reuse

Philippe Mathieu-Daudé (9):
      hw/net/e1000e: Do not abort() on invalid PSRCTL register value
      tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
      tests/acceptance/boot_linux: Expand SD card image to power of 2
      hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
      hw/sd/sdcard: Simplify realize() a bit
      hw/sd/sdcard: Do not allow invalid SD card sizes
      hw/sd/sdcard: Update coding style to make checkpatch.pl happy
      hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
      libvhost-user: Report descriptor index on panic

Prasad J Pandit (2):
      ati-vga: check mm_index before recursive call (CVE-2020-13800)
      es1370: check total frame count against current frame

Raphael Pour (1):
      qemu-nbd: Close inherited stderr

Richard Henderson (2):
      target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*
      target/hppa: Free some temps in do_sub

Sergei Trofimovich (1):
      linux-user/strace.list: fix epoll_create{,1} -strace output

Stefan Berger (2):
      tpm: tpm_spapr: Exit on TPM backend failures
      tests: tpm: Skip over pcrUpdateCounter byte in result comparison

Stefan Hajnoczi (4):
      virtiofsd: add --rlimit-nofile=NUM option
      virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
      aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy()
      aio-posix: disable fdmon-io_uring when GSource is used

Stefano Stabellini (2):
      Revert "9p: init_in_iov_from_pdu can truncate the size"
      xen/9pfs: yield when there isn't enough room on the ring

Thomas Huth (1):
      net: Do not include a newline in the id of -nic devices

Vladimir Sementsov-Ogievskiy (1):
      migration/block-dirty-bitmap: fix dirty_bitmap_mig_before_vm_start

Yuri Benditovich (1):
      virtio-net: align RSC fields with updated virtio-net header

lichun (1):
      chardev/tcp: Fix error message double free error

 backends/hostmem.c                                 |   6 +-
 block.c                                            |   7 +-
 block/io.c                                         |  10 +-
 block/nbd.c                                        |  21 ++--
 chardev/char-socket.c                              |   8 +-
 contrib/libvhost-user/libvhost-user.c              |   4 +-
 docs/system/arm/orangepi.rst                       |  16 ++-
 hw/9pfs/9p-util.h                                  |  13 ++
 hw/9pfs/9p.c                                       |  34 ++----
 hw/9pfs/9p.h                                       |  10 +-
 hw/9pfs/virtio-9p-device.c                         |  11 +-
 hw/9pfs/xen-9p-backend.c                           |  41 +++++--
 hw/acpi/core.c                                     |   9 +-
 hw/arm/sbsa-ref.c                                  |   2 +-
 hw/audio/es1370.c                                  |   7 +-
 hw/audio/gusemu_hal.c                              |   2 +-
 hw/audio/gusemu_mixer.c                            |   2 +-
 hw/display/artist.c                                |  12 +-
 hw/display/ati.c                                   |  10 +-
 hw/i386/intel_iommu.c                              |   7 +-
 hw/i386/intel_iommu_internal.h                     |   3 +-
 hw/net/e1000e_core.c                               |  10 +-
 hw/net/tulip.c                                     |   6 -
 hw/net/virtio-net.c                                |  29 +----
 hw/riscv/sifive_clint.c                            |   2 +-
 hw/s390x/virtio-ccw.c                              |   6 +
 hw/sd/pxa2xx_mmci.c                                |   4 +-
 hw/sd/sd.c                                         |  90 ++++++++++----
 hw/tpm/tpm_spapr.c                                 |   5 +-
 hw/usb/core.c                                      |  16 ++-
 hw/usb/dev-mtp.c                                   |  11 +-
 hw/usb/hcd-xhci.c                                  |   4 +-
 hw/virtio/virtio-balloon.c                         | 133 ++++++++++++---------
 hw/virtio/virtio-pci.c                             |  38 ++++--
 hw/virtio/virtio.c                                 |  25 ++++
 include/block/aio.h                                |   3 +
 include/hw/virtio/virtio-balloon.h                 |  20 ++--
 include/hw/virtio/virtio.h                         |   2 +
 include/qemu/osdep.h                               |  10 ++
 include/standard-headers/linux/ethtool.h           |  10 +-
 include/standard-headers/linux/input-event-codes.h |   5 +-
 include/standard-headers/linux/pci_regs.h          |   2 +
 include/standard-headers/linux/vhost_types.h       |   8 ++
 include/standard-headers/linux/virtio_balloon.h    |  12 +-
 include/standard-headers/linux/virtio_ids.h        |   1 +
 include/standard-headers/linux/virtio_net.h        | 102 +++++++++++++++-
 linux-headers/COPYING                              |   2 +
 linux-headers/asm-x86/kvm.h                        |   1 +
 linux-headers/asm-x86/unistd_32.h                  |   1 +
 linux-headers/asm-x86/unistd_64.h                  |   1 +
 linux-headers/asm-x86/unistd_x32.h                 |   1 +
 linux-headers/linux/kvm.h                          |  47 +++++++-
 linux-headers/linux/mman.h                         |   5 +-
 linux-headers/linux/userfaultfd.h                  |  40 +++++--
 linux-headers/linux/vfio.h                         |  37 ++++++
 linux-headers/linux/vhost.h                        |  24 ++++
 linux-user/strace.list                             |   4 +-
 memory.c                                           |  29 ++---
 migration/block-dirty-bitmap.c                     |   2 +-
 nbd/server.c                                       |  51 ++++++--
 net/net.c                                          |   4 +-
 pc-bios/openbios-ppc                               | Bin 696912 -> 696912 bytes
 pc-bios/openbios-sparc32                           | Bin 382048 -> 382048 bytes
 pc-bios/openbios-sparc64                           | Bin 1593408 -> 1593408 bytes
 qdev-monitor.c                                     |   2 +-
 qemu-nbd.c                                         |  13 +-
 qga/commands.c                                     |  17 ++-
 qga/main.c                                         |   6 +-
 roms/openbios                                      |   2 +-
 scsi/qemu-pr-helper.c                              |   4 +-
 target/arm/vec_helper.c                            |   2 +
 target/hppa/translate.c                            |   2 +
 target/i386/cpu.c                                  |   3 +
 target/i386/kvm.c                                  |  11 +-
 target/i386/kvm_i386.h                             |   1 +
 tests/acceptance/avocado_qemu/__init__.py          |  13 +-
 tests/acceptance/boot_linux.py                     |  49 ++++----
 tests/acceptance/boot_linux_console.py             |  55 ++++++---
 tests/qemu-iotests/028                             |  19 +++
 tests/qemu-iotests/028.out                         |  11 ++
 tests/qemu-iotests/143                             |   4 +
 tests/qemu-iotests/143.out                         |   2 +
 tests/qemu-iotests/283                             |   6 +-
 tests/qemu-iotests/283.out                         |   2 +-
 tests/qtest/libqos/pci-pc.c                        |   2 +-
 tests/qtest/tpm-util.c                             |   6 +-
 tests/qtest/usb-hcd-ehci-test.c                    |   2 +-
 tools/virtiofsd/fuse_lowlevel.h                    |   1 +
 tools/virtiofsd/helper.c                           |  47 ++++++++
 tools/virtiofsd/passthrough_ll.c                   |  22 ++--
 tools/virtiofsd/seccomp.c                          |   1 +
 util/aio-posix.c                                   |  13 ++
 util/aio-win32.c                                   |   4 +
 util/async.c                                       |   1 +
 util/fdmon-io_uring.c                              |  13 +-
 util/oslib-posix.c                                 |  35 ++++++
 util/oslib-win32.c                                 |  13 ++
 97 files changed, 1045 insertions(+), 377 deletions(-)

[PATCH 01/77] hostmem: don't use mbind() if host-nodes is empty

[Michael Roth]

From: Igor Mammedov <imammedo@redhat.com>

Since 5.0 QEMU uses hostmem backend for allocating main guest RAM.
The backend however calls mbind() which is typically NOP
in case of default policy/absent host-nodes bitmap.
However when runing in container with black-listed mbind()
syscall, QEMU fails to start with error
 "cannot bind memory to host NUMA nodes: Operation not permitted"
even when user hasn't provided host-nodes to pin to explictly
(which is the case with -m option)

To fix issue, call mbind() only in case when user has provided
host-nodes explicitly (i.e. host_nodes bitmap is not empty).
That should allow to run QEMU in containers with black-listed
mbind() without memory pinning. If QEMU provided memory-pinning
is required user still has to white-list mbind() in container
configuration.

Reported-by: Manuel Hohmann <mhohmann@physnet.uni-hamburg.de>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20200430154606.6421-1-imammedo@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit 70b6d525dfb51d5e523d568d1139fc051bc223c5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 backends/hostmem.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/backends/hostmem.c b/backends/hostmem.c
index 327f9eebc3..0efd7b7bd6 100644
--- a/backends/hostmem.c
+++ b/backends/hostmem.c
@@ -383,8 +383,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
         assert(sizeof(backend->host_nodes) >=
                BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long));
         assert(maxnode <= MAX_NODES);
-        if (mbind(ptr, sz, backend->policy,
-                  maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) {
+
+        if (maxnode &&
+            mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1,
+                  flags)) {
             if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) {
                 error_setg_errno(errp, errno,
                                  "cannot bind memory to host NUMA nodes");
-- 
2.17.1

[PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*

[Michael Roth]

From: Richard Henderson <richard.henderson@linaro.org>

Must clear the tail for AdvSIMD when SVE is enabled.

Fixes: ca40a6e6e39
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200513163245.17915-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 525d9b6d42844e187211d25b69be8b378785bc24)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target/arm/vec_helper.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index 8017bd88c4..5ce111b286 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -737,6 +737,7 @@ void HELPER(NAME)(void *vd, void *vn, void *vm, void *stat, uint32_t desc) \
             d[i + j] = TYPE##_mul(n[i + j], mm, stat);                     \
         }                                                                  \
     }                                                                      \
+    clear_tail(d, oprsz, simd_maxsz(desc));                                \
 }
 
 DO_MUL_IDX(gvec_fmul_idx_h, float16, H2)
@@ -761,6 +762,7 @@ void HELPER(NAME)(void *vd, void *vn, void *vm, void *va,                  \
                                      mm, a[i + j], 0, stat);               \
         }                                                                  \
     }                                                                      \
+    clear_tail(d, oprsz, simd_maxsz(desc));                                \
 }
 
 DO_FMLA_IDX(gvec_fmla_idx_h, float16, H2)
-- 
2.17.1

[PATCH 03/77] qemu-nbd: Close inherited stderr

[Michael Roth]

From: Raphael Pour <raphael.pour@hetzner.com>

Close inherited stderr of the parent if fork_process is false.
Otherwise no one will close it. (introduced by e6df58a5)

This only affected 'qemu-nbd -c /dev/nbd0'.

Signed-off-by: Raphael Pour <raphael.pour@hetzner.com>
Message-Id: <d8ddc993-9816-836e-a3de-c6edab9d9c49@hetzner.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: Enhance commit message]
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 0eaf453ebf6788885fbb5d40426b154ef8805407)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-nbd.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qemu-nbd.c b/qemu-nbd.c
index 4aa005004e..306e44fb0a 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -916,7 +916,11 @@ int main(int argc, char **argv)
         } else if (pid == 0) {
             close(stderr_fd[0]);
 
-            old_stderr = dup(STDERR_FILENO);
+            /* Remember parent's stderr if we will be restoring it. */
+            if (fork_process) {
+                old_stderr = dup(STDERR_FILENO);
+            }
+
             ret = qemu_daemon(1, 0);
 
             /* Temporarily redirect stderr to the parent's pipe...  */
-- 
2.17.1

[PATCH 04/77] 9p: Lock directory streams with a CoMutex

[Michael Roth]

From: Greg Kurz <groug@kaod.org>

Locking was introduced in QEMU 2.7 to address the deprecation of
readdir_r(3) in glibc 2.24. It turns out that the frontend code is
the worst place to handle a critical section with a pthread mutex:
the code runs in a coroutine on behalf of the QEMU mainloop and then
yields control, waiting for the fsdev backend to process the request
in a worker thread. If the client resends another readdir request for
the same fid before the previous one finally unlocked the mutex, we're
deadlocked.

This never bit us because the linux client serializes readdir requests
for the same fid, but it is quite easy to demonstrate with a custom
client.

A good solution could be to narrow the critical section in the worker
thread code and to return a copy of the dirent to the frontend, but
this causes quite some changes in both 9p.c and codir.c. So, instead
of that, in order for people to easily backport the fix to older QEMU
versions, let's simply use a CoMutex since all the users for this
sit in coroutines.

Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir")
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/9p.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index b8f72a3bd9..c381fe091a 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -197,22 +197,22 @@ typedef struct V9fsXattr
 
 typedef struct V9fsDir {
     DIR *stream;
-    QemuMutex readdir_mutex;
+    CoMutex readdir_mutex;
 } V9fsDir;
 
 static inline void v9fs_readdir_lock(V9fsDir *dir)
 {
-    qemu_mutex_lock(&dir->readdir_mutex);
+    qemu_co_mutex_lock(&dir->readdir_mutex);
 }
 
 static inline void v9fs_readdir_unlock(V9fsDir *dir)
 {
-    qemu_mutex_unlock(&dir->readdir_mutex);
+    qemu_co_mutex_unlock(&dir->readdir_mutex);
 }
 
 static inline void v9fs_readdir_init(V9fsDir *dir)
 {
-    qemu_mutex_init(&dir->readdir_mutex);
+    qemu_co_mutex_init(&dir->readdir_mutex);
 }
 
 /*
-- 
2.17.1

[PATCH 05/77] net: Do not include a newline in the id of -nic devices

[Michael Roth]

From: Thomas Huth <thuth@redhat.com>

The '\n' sneaked in by accident here, an "id" string should really
not contain a newline character at the end.

Fixes: 78cd6f7bf6b ('net: Add a new convenience option "--nic" ...')
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200518074352.23125-1-thuth@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 0561dfac082becdd9e89110249a27b309b62aa9f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index 38778e831d..cbeeeadff8 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1506,7 +1506,7 @@ static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
     /* Create an ID if the user did not specify one */
     nd_id = g_strdup(qemu_opts_id(opts));
     if (!nd_id) {
-        nd_id = g_strdup_printf("__org.qemu.nic%i\n", idx);
+        nd_id = g_strdup_printf("__org.qemu.nic%i", idx);
         qemu_opts_set_id(opts, nd_id);
     }
 
-- 
2.17.1

[PATCH 06/77] nbd/server: Avoid long error message assertions CVE-2020-10761

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Ever since commit 36683283 (v2.8), the server code asserts that error
strings sent to the client are well-formed per the protocol by not
exceeding the maximum string length of 4096.  At the time the server
first started sending error messages, the assertion could not be
triggered, because messages were completely under our control.
However, over the years, we have added latent scenarios where a client
could trigger the server to attempt an error message that would
include the client's information if it passed other checks first:

- requesting NBD_OPT_INFO/GO on an export name that is not present
  (commit 0cfae925 in v2.12 echoes the name)

- requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is
  not present (commit e7b1948d in v2.12 echoes the name)

At the time, those were still safe because we flagged names larger
than 256 bytes with a different message; but that changed in commit
93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD
string limit.  (That commit also failed to change the magic number
4096 in nbd_negotiate_send_rep_err to the just-introduced named
constant.)  So with that commit, long client names appended to server
text can now trigger the assertion, and thus be used as a denial of
service attack against a server.  As a mitigating factor, if the
server requires TLS, the client cannot trigger the problematic paths
unless it first supplies TLS credentials, and such trusted clients are
less likely to try to intentionally crash the server.

We may later want to further sanitize the user-supplied strings we
place into our error messages, such as scrubbing out control
characters, but that is less important to the CVE fix, so it can be a
later patch to the new nbd_sanitize_name.

Consideration was given to changing the assertion in
nbd_negotiate_send_rep_verr to instead merely log a server error and
truncate the message, to avoid leaving a latent path that could
trigger a future CVE DoS on any new error message.  However, this
merely complicates the code for something that is already (correctly)
flagging coding errors, and now that we are aware of the long message
pitfall, we are less likely to introduce such errors in the future,
which would make such error handling dead code.

Reported-by: Xueqiang Wei <xuwei@redhat.com>
CC: qemu-stable@nongnu.org
Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761
Fixes: 93676c88d7
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200610163741.3745251-2-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 5c4fe018c025740fef4a0a4421e8162db0c3eefd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd/server.c               | 23 ++++++++++++++++++++---
 tests/qemu-iotests/143     |  4 ++++
 tests/qemu-iotests/143.out |  2 ++
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 02b1ed0801..20754e9ebc 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
 
     msg = g_strdup_vprintf(fmt, va);
     len = strlen(msg);
-    assert(len < 4096);
+    assert(len < NBD_MAX_STRING_SIZE);
     trace_nbd_negotiate_send_rep_err(msg);
     ret = nbd_negotiate_send_rep_len(client, type, len, errp);
     if (ret < 0) {
@@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
     return 0;
 }
 
+/*
+ * Return a malloc'd copy of @name suitable for use in an error reply.
+ */
+static char *
+nbd_sanitize_name(const char *name)
+{
+    if (strnlen(name, 80) < 80) {
+        return g_strdup(name);
+    }
+    /* XXX Should we also try to sanitize any control characters? */
+    return g_strdup_printf("%.80s...", name);
+}
+
 /* Send an error reply.
  * Return -errno on error, 0 on success. */
 static int GCC_FMT_ATTR(4, 5)
@@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
 
     exp = nbd_export_find(name);
     if (!exp) {
+        g_autofree char *sane_name = nbd_sanitize_name(name);
+
         return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN,
                                           errp, "export '%s' not present",
-                                          name);
+                                          sane_name);
     }
 
     /* Don't bother sending NBD_INFO_NAME unless client requested it */
@@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
 
     meta->exp = nbd_export_find(export_name);
     if (meta->exp == NULL) {
+        g_autofree char *sane_name = nbd_sanitize_name(export_name);
+
         return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp,
-                            "export '%s' not present", export_name);
+                            "export '%s' not present", sane_name);
     }
 
     ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143
index f649b36195..d2349903b1 100755
--- a/tests/qemu-iotests/143
+++ b/tests/qemu-iotests/143
@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \
 $QEMU_IO_PROG -f raw -c quit \
     "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \
     | _filter_qemu_io | _filter_nbd
+# Likewise, with longest possible name permitted in NBD protocol
+$QEMU_IO_PROG -f raw -c quit \
+    "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \
+    | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/'
 
 _send_qemu_cmd $QEMU_HANDLE \
     "{ 'execute': 'quit' }" \
diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out
index 1f4001c601..fc9c0a761f 100644
--- a/tests/qemu-iotests/143.out
+++ b/tests/qemu-iotests/143.out
@@ -5,6 +5,8 @@ QA output created by 143
 {"return": {}}
 qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available
 server reported: export 'no_such_export' not present
+qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available
+server reported: export 'aa--aa...' not present
 { 'execute': 'quit' }
 {"return": {}}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-- 
2.17.1

[PATCH 07/77] virtio-balloon: fix free page hinting without an iothread

[Michael Roth]

From: David Hildenbrand <david@redhat.com>

In case we don't have an iothread, we mark the feature as abscent but
still add the queue. 'free_page_bh' remains set to NULL.

qemu-system-i386 \
        -M microvm \
        -nographic \
        -device virtio-balloon-device,free-page-hint=true \
        -nographic \
        -display none \
        -monitor none \
        -serial none \
        -qtest stdio

Doing a "write 0xc0000e30 0x24
0x030000000300000003000000030000000300000003000000030000000300000003000000"

We will trigger a SEGFAULT. Let's move the check and bail out.

While at it, move the static initializations to instance_init().
free_page_report_status and block_iothread are implicitly set to the
right values (0/false) already, so drop the initialization.

Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Cc: qemu-stable@nongnu.org
Cc: Wei Wang <wei.w.wang@intel.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200520100439.19872-2-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 12fc8903a8ee09fb5f642de82699a0b211e1b5a7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index a4729f7fc9..ef499e1b3b 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -789,6 +789,13 @@ static void virtio_balloon_device_realize(DeviceState *dev, Error **errp)
         return;
     }
 
+    if (virtio_has_feature(s->host_features, VIRTIO_BALLOON_F_FREE_PAGE_HINT) &&
+        !s->iothread) {
+        error_setg(errp, "'free-page-hint' requires 'iothread' to be set");
+        virtio_cleanup(vdev);
+        return;
+    }
+
     s->ivq = virtio_add_queue(vdev, 128, virtio_balloon_handle_output);
     s->dvq = virtio_add_queue(vdev, 128, virtio_balloon_handle_output);
     s->svq = virtio_add_queue(vdev, 128, virtio_balloon_receive_stats);
@@ -797,24 +804,11 @@ static void virtio_balloon_device_realize(DeviceState *dev, Error **errp)
                            VIRTIO_BALLOON_F_FREE_PAGE_HINT)) {
         s->free_page_vq = virtio_add_queue(vdev, VIRTQUEUE_MAX_SIZE,
                                            virtio_balloon_handle_free_page_vq);
-        s->free_page_report_status = FREE_PAGE_REPORT_S_STOP;
-        s->free_page_report_cmd_id =
-                           VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
-        s->free_page_report_notify.notify =
-                                       virtio_balloon_free_page_report_notify;
         precopy_add_notifier(&s->free_page_report_notify);
-        if (s->iothread) {
-            object_ref(OBJECT(s->iothread));
-            s->free_page_bh = aio_bh_new(iothread_get_aio_context(s->iothread),
-                                       virtio_ballloon_get_free_page_hints, s);
-            qemu_mutex_init(&s->free_page_lock);
-            qemu_cond_init(&s->free_page_cond);
-            s->block_iothread = false;
-        } else {
-            /* Simply disable this feature if the iothread wasn't created. */
-            s->host_features &= ~(1 << VIRTIO_BALLOON_F_FREE_PAGE_HINT);
-            virtio_error(vdev, "iothread is missing");
-        }
+
+        object_ref(OBJECT(s->iothread));
+        s->free_page_bh = aio_bh_new(iothread_get_aio_context(s->iothread),
+                                     virtio_ballloon_get_free_page_hints, s);
     }
     reset_stats(s);
 }
@@ -892,6 +886,11 @@ static void virtio_balloon_instance_init(Object *obj)
 {
     VirtIOBalloon *s = VIRTIO_BALLOON(obj);
 
+    qemu_mutex_init(&s->free_page_lock);
+    qemu_cond_init(&s->free_page_cond);
+    s->free_page_report_cmd_id = VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
+    s->free_page_report_notify.notify = virtio_balloon_free_page_report_notify;
+
     object_property_add(obj, "guest-stats", "guest statistics",
                         balloon_stats_get_all, NULL, NULL, s, NULL);
 
-- 
2.17.1

[PATCH 08/77] virtio-balloon: fix free page hinting check on unrealize

[Michael Roth]

From: David Hildenbrand <david@redhat.com>

Checking against guest features is wrong. We allocated data structures
based on host features. We can rely on "free_page_bh" as an indicator
whether to un-do stuff instead.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Cc: qemu-stable@nongnu.org
Cc: Wei Wang <wei.w.wang@intel.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200520100439.19872-3-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 49b01711b8eb3796c6904c7f85d2431572cfe54f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index ef499e1b3b..3e3b5ff0f8 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -818,7 +818,7 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp)
     VirtIODevice *vdev = VIRTIO_DEVICE(dev);
     VirtIOBalloon *s = VIRTIO_BALLOON(dev);
 
-    if (virtio_balloon_free_page_support(s)) {
+    if (s->free_page_bh) {
         qemu_bh_delete(s->free_page_bh);
         virtio_balloon_free_page_stop(s);
         precopy_remove_notifier(&s->free_page_report_notify);
-- 
2.17.1

[PATCH 09/77] virtio-balloon: unref the iothread when unrealizing

[Michael Roth]

From: David Hildenbrand <david@redhat.com>

We took a reference when realizing, so let's drop that reference when
unrealizing.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Cc: qemu-stable@nongnu.org
Cc: Wei Wang <wei.w.wang@intel.com>
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200520100439.19872-4-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 105aef9c9479786d27c1c45c9b0b1fa03dc46be3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 3e3b5ff0f8..e20f90dad4 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -820,6 +820,7 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp)
 
     if (s->free_page_bh) {
         qemu_bh_delete(s->free_page_bh);
+        object_unref(OBJECT(s->iothread));
         virtio_balloon_free_page_stop(s);
         precopy_remove_notifier(&s->free_page_report_notify);
     }
-- 
2.17.1

[PATCH 10/77] block: Call attention to truncation of long NBD exports

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Commit 93676c88 relaxed our NBD client code to request export names up
to the NBD protocol maximum of 4096 bytes without NUL terminator, even
though the block layer can't store anything longer than 4096 bytes
including NUL terminator for display to the user.  Since this means
there are some export names where we have to truncate things, we can
at least try to make the truncation a bit more obvious for the user.
Note that in spite of the truncated display name, we can still
communicate with an NBD server using such a long export name; this was
deemed nicer than refusing to even connect to such a server (since the
server may not be under our control, and since determining our actual
length limits gets tricky when nbd://host:port/export and
nbd+unix:///export?socket=/path are themselves variable-length
expansions beyond the export name but count towards the block layer
name length).

Reported-by: Xueqiang Wei <xuwei@redhat.com>
Fixes: https://bugzilla.redhat.com/1843684
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200610163741.3745251-3-eblake@redhat.com>
(cherry picked from commit 5c86bdf1208916ece0b87e1151c9b48ee54faa3e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c     |  7 +++++--
 block/nbd.c | 21 +++++++++++++--------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/block.c b/block.c
index 2e3905c99e..e7e0a92536 100644
--- a/block.c
+++ b/block.c
@@ -6710,8 +6710,11 @@ void bdrv_refresh_filename(BlockDriverState *bs)
         pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename);
     } else {
         QString *json = qobject_to_json(QOBJECT(bs->full_open_options));
-        snprintf(bs->filename, sizeof(bs->filename), "json:%s",
-                 qstring_get_str(json));
+        if (snprintf(bs->filename, sizeof(bs->filename), "json:%s",
+                     qstring_get_str(json)) >= sizeof(bs->filename)) {
+            /* Give user a hint if we truncated things. */
+            strcpy(bs->filename + sizeof(bs->filename) - 4, "...");
+        }
         qobject_unref(json);
     }
 }
diff --git a/block/nbd.c b/block/nbd.c
index 2160859f64..bfc0be6af6 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -1986,6 +1986,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
 {
     BDRVNBDState *s = bs->opaque;
     const char *host = NULL, *port = NULL, *path = NULL;
+    size_t len = 0;
 
     if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
         const InetSocketAddress *inet = &s->saddr->u.inet;
@@ -1998,17 +1999,21 @@ static void nbd_refresh_filename(BlockDriverState *bs)
     } /* else can't represent as pseudo-filename */
 
     if (path && s->export) {
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
-                 "nbd+unix:///%s?socket=%s", s->export, path);
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+                       "nbd+unix:///%s?socket=%s", s->export, path);
     } else if (path && !s->export) {
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
-                 "nbd+unix://?socket=%s", path);
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+                       "nbd+unix://?socket=%s", path);
     } else if (host && s->export) {
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
-                 "nbd://%s:%s/%s", host, port, s->export);
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+                       "nbd://%s:%s/%s", host, port, s->export);
     } else if (host && !s->export) {
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
-                 "nbd://%s:%s", host, port);
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+                       "nbd://%s:%s", host, port);
+    }
+    if (len > sizeof(bs->exact_filename)) {
+        /* Name is too long to represent exactly, so leave it empty. */
+        bs->exact_filename[0] = '\0';
     }
 }
 
-- 
2.17.1

[PATCH 11/77] 9pfs: local: ignore O_NOATIME if we don't have permissions

[Michael Roth]

From: Omar Sandoval <osandov@fb.com>

QEMU's local 9pfs server passes through O_NOATIME from the client. If
the QEMU process doesn't have permissions to use O_NOATIME (namely, it
does not own the file nor have the CAP_FOWNER capability), the open will
fail. This causes issues when from the client's point of view, it
believes it has permissions to use O_NOATIME (e.g., a process running as
root in the virtual machine). Additionally, overlayfs on Linux opens
files on the lower layer using O_NOATIME, so in this case a 9pfs mount
can't be used as a lower layer for overlayfs (cf.
https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
and https://github.com/NixOS/nixpkgs/issues/54509).

Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
network filesystems. open(2) notes that O_NOATIME "may not be effective
on all filesystems. One example is NFS, where the server maintains the
access time." This means that we can honor it when possible but fall
back to ignoring it.

Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/9p-util.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index 79ed6b233e..546f46dc7d 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
 {
     int fd, serrno, ret;
 
+again:
     fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
                 mode);
     if (fd == -1) {
+        if (errno == EPERM && (flags & O_NOATIME)) {
+            /*
+             * The client passed O_NOATIME but we lack permissions to honor it.
+             * Rather than failing the open, fall back without O_NOATIME. This
+             * doesn't break the semantics on the client side, as the Linux
+             * open(2) man page notes that O_NOATIME "may not be effective on
+             * all filesystems". In particular, NFS and other network
+             * filesystems ignore it entirely.
+             */
+            flags &= ~O_NOATIME;
+            goto again;
+        }
         return -1;
     }
 
-- 
2.17.1

[PATCH 12/77] 9pfs: include linux/limits.h for XATTR_SIZE_MAX

[Michael Roth]

From: Dan Robertson <dan@dlrobertson.com>

linux/limits.h should be included for the XATTR_SIZE_MAX definition used
by v9fs_xattrcreate.

Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate")
Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20200515203015.7090-2-dan@dlrobertson.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/9p.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 9e046f7acb..3301e82eb6 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -28,6 +28,7 @@
 #include "sysemu/qtest.h"
 #include "qemu/xxhash.h"
 #include <math.h>
+#include <linux/limits.h>
 
 int open_fd_hw;
 int total_open_fd;
-- 
2.17.1

[PATCH 13/77] xen-9pfs: Fix log messages of reply errors

[Michael Roth]

From: Christian Schoenebeck <qemu_oss@crudebyte.com>

If delivery of some 9pfs response fails for some reason, log the
error message by mentioning the 9P protocol reply type, not by
client's request type. The latter could be misleading that the
error occurred already when handling the request input.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <ad0e5a9b6abde52502aa40b30661d29aebe1590a.1589132512.git.qemu_oss@crudebyte.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 9bbb7e0fe081efff2e41f8517c256b72a284fe9b)
*prereq for cf45183b718
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/xen-9p-backend.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/9pfs/xen-9p-backend.c b/hw/9pfs/xen-9p-backend.c
index 18fe5b7c92..f04caabfe5 100644
--- a/hw/9pfs/xen-9p-backend.c
+++ b/hw/9pfs/xen-9p-backend.c
@@ -137,7 +137,8 @@ static ssize_t xen_9pfs_pdu_vmarshal(V9fsPDU *pdu,
     ret = v9fs_iov_vmarshal(in_sg, num, offset, 0, fmt, ap);
     if (ret < 0) {
         xen_pv_printf(&xen_9pfs->xendev, 0,
-                      "Failed to encode VirtFS request type %d\n", pdu->id + 1);
+                      "Failed to encode VirtFS reply type %d\n",
+                      pdu->id + 1);
         xen_be_set_state(&xen_9pfs->xendev, XenbusStateClosing);
         xen_9pfs_disconnect(&xen_9pfs->xendev);
     }
@@ -201,9 +202,9 @@ static void xen_9pfs_init_in_iov_from_pdu(V9fsPDU *pdu,
 
     buf_size = iov_size(ring->sg, num);
     if (buf_size  < P9_IOHDRSZ) {
-        xen_pv_printf(&xen_9pfs->xendev, 0, "Xen 9pfs request type %d"
-                "needs %zu bytes, buffer has %zu, less than minimum\n",
-                pdu->id, *size, buf_size);
+        xen_pv_printf(&xen_9pfs->xendev, 0, "Xen 9pfs reply type %d needs "
+                      "%zu bytes, buffer has %zu, less than minimum\n",
+                      pdu->id + 1, *size, buf_size);
         xen_be_set_state(&xen_9pfs->xendev, XenbusStateClosing);
         xen_9pfs_disconnect(&xen_9pfs->xendev);
     }
-- 
2.17.1

[PATCH 14/77] Revert "9p: init_in_iov_from_pdu can truncate the size"

[Michael Roth]

From: Stefano Stabellini <stefano.stabellini@xilinx.com>

This reverts commit 16724a173049ac29c7b5ade741da93a0f46edff7.
It causes https://bugs.launchpad.net/bugs/1877688.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20200521192627.15259-1-sstabellini@kernel.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit cf45183b718f02b1369e18c795dc51bc1821245d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/9p.c               | 33 +++++++++++----------------------
 hw/9pfs/9p.h               |  2 +-
 hw/9pfs/virtio-9p-device.c | 11 ++++-------
 hw/9pfs/xen-9p-backend.c   | 15 ++++++---------
 4 files changed, 22 insertions(+), 39 deletions(-)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 3301e82eb6..1b729af6e8 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2103,29 +2103,22 @@ out_nofid:
  * with qemu_iovec_destroy().
  */
 static void v9fs_init_qiov_from_pdu(QEMUIOVector *qiov, V9fsPDU *pdu,
-                                    size_t skip, size_t *size,
+                                    size_t skip, size_t size,
                                     bool is_write)
 {
     QEMUIOVector elem;
     struct iovec *iov;
     unsigned int niov;
-    size_t alloc_size = *size + skip;
 
     if (is_write) {
-        pdu->s->transport->init_out_iov_from_pdu(pdu, &iov, &niov, alloc_size);
+        pdu->s->transport->init_out_iov_from_pdu(pdu, &iov, &niov, size + skip);
     } else {
-        pdu->s->transport->init_in_iov_from_pdu(pdu, &iov, &niov, &alloc_size);
-    }
-
-    if (alloc_size < skip) {
-        *size = 0;
-    } else {
-        *size = alloc_size - skip;
+        pdu->s->transport->init_in_iov_from_pdu(pdu, &iov, &niov, size + skip);
     }
 
     qemu_iovec_init_external(&elem, iov, niov);
     qemu_iovec_init(qiov, niov);
-    qemu_iovec_concat(qiov, &elem, skip, *size);
+    qemu_iovec_concat(qiov, &elem, skip, size);
 }
 
 static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
@@ -2133,14 +2126,15 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
 {
     ssize_t err;
     size_t offset = 7;
-    size_t read_count;
+    uint64_t read_count;
     QEMUIOVector qiov_full;
 
     if (fidp->fs.xattr.len < off) {
         read_count = 0;
-    } else if (fidp->fs.xattr.len - off < max_count) {
-        read_count = fidp->fs.xattr.len - off;
     } else {
+        read_count = fidp->fs.xattr.len - off;
+    }
+    if (read_count > max_count) {
         read_count = max_count;
     }
     err = pdu_marshal(pdu, offset, "d", read_count);
@@ -2149,7 +2143,7 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
     }
     offset += err;
 
-    v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, &read_count, false);
+    v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, read_count, false);
     err = v9fs_pack(qiov_full.iov, qiov_full.niov, 0,
                     ((char *)fidp->fs.xattr.value) + off,
                     read_count);
@@ -2278,11 +2272,9 @@ static void coroutine_fn v9fs_read(void *opaque)
         QEMUIOVector qiov_full;
         QEMUIOVector qiov;
         int32_t len;
-        size_t size = max_count;
 
-        v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset + 4, &size, false);
+        v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset + 4, max_count, false);
         qemu_iovec_init(&qiov, qiov_full.niov);
-        max_count = size;
         do {
             qemu_iovec_reset(&qiov);
             qemu_iovec_concat(&qiov, &qiov_full, count, qiov_full.size - count);
@@ -2533,7 +2525,6 @@ static void coroutine_fn v9fs_write(void *opaque)
     int32_t len = 0;
     int32_t total = 0;
     size_t offset = 7;
-    size_t size;
     V9fsFidState *fidp;
     V9fsPDU *pdu = opaque;
     V9fsState *s = pdu->s;
@@ -2546,9 +2537,7 @@ static void coroutine_fn v9fs_write(void *opaque)
         return;
     }
     offset += err;
-    size = count;
-    v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, &size, true);
-    count = size;
+    v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, count, true);
     trace_v9fs_write(pdu->tag, pdu->id, fid, off, count, qiov_full.niov);
 
     fidp = get_fid(pdu, fid);
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index c381fe091a..656527beb9 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -436,7 +436,7 @@ struct V9fsTransport {
     ssize_t     (*pdu_vunmarshal)(V9fsPDU *pdu, size_t offset, const char *fmt,
                                   va_list ap);
     void        (*init_in_iov_from_pdu)(V9fsPDU *pdu, struct iovec **piov,
-                                        unsigned int *pniov, size_t *size);
+                                        unsigned int *pniov, size_t size);
     void        (*init_out_iov_from_pdu)(V9fsPDU *pdu, struct iovec **piov,
                                          unsigned int *pniov, size_t size);
     void        (*push_and_notify)(V9fsPDU *pdu);
diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c
index 536447a355..f821236356 100644
--- a/hw/9pfs/virtio-9p-device.c
+++ b/hw/9pfs/virtio-9p-device.c
@@ -147,22 +147,19 @@ static ssize_t virtio_pdu_vunmarshal(V9fsPDU *pdu, size_t offset,
 }
 
 static void virtio_init_in_iov_from_pdu(V9fsPDU *pdu, struct iovec **piov,
-                                        unsigned int *pniov, size_t *size)
+                                        unsigned int *pniov, size_t size)
 {
     V9fsState *s = pdu->s;
     V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
     VirtQueueElement *elem = v->elems[pdu->idx];
     size_t buf_size = iov_size(elem->in_sg, elem->in_num);
 
-    if (buf_size < P9_IOHDRSZ) {
+    if (buf_size < size) {
         VirtIODevice *vdev = VIRTIO_DEVICE(v);
 
         virtio_error(vdev,
-                     "VirtFS reply type %d needs %zu bytes, buffer has %zu, less than minimum",
-                     pdu->id + 1, *size, buf_size);
-    }
-    if (buf_size < *size) {
-        *size = buf_size;
+                     "VirtFS reply type %d needs %zu bytes, buffer has %zu",
+                     pdu->id + 1, size, buf_size);
     }
 
     *piov = elem->in_sg;
diff --git a/hw/9pfs/xen-9p-backend.c b/hw/9pfs/xen-9p-backend.c
index f04caabfe5..fc197f6c8a 100644
--- a/hw/9pfs/xen-9p-backend.c
+++ b/hw/9pfs/xen-9p-backend.c
@@ -188,7 +188,7 @@ static void xen_9pfs_init_out_iov_from_pdu(V9fsPDU *pdu,
 static void xen_9pfs_init_in_iov_from_pdu(V9fsPDU *pdu,
                                           struct iovec **piov,
                                           unsigned int *pniov,
-                                          size_t *size)
+                                          size_t size)
 {
     Xen9pfsDev *xen_9pfs = container_of(pdu->s, Xen9pfsDev, state);
     Xen9pfsRing *ring = &xen_9pfs->rings[pdu->tag % xen_9pfs->num_rings];
@@ -198,19 +198,16 @@ static void xen_9pfs_init_in_iov_from_pdu(V9fsPDU *pdu,
     g_free(ring->sg);
 
     ring->sg = g_new0(struct iovec, 2);
-    xen_9pfs_in_sg(ring, ring->sg, &num, pdu->idx, *size);
+    xen_9pfs_in_sg(ring, ring->sg, &num, pdu->idx, size);
 
     buf_size = iov_size(ring->sg, num);
-    if (buf_size  < P9_IOHDRSZ) {
-        xen_pv_printf(&xen_9pfs->xendev, 0, "Xen 9pfs reply type %d needs "
-                      "%zu bytes, buffer has %zu, less than minimum\n",
-                      pdu->id + 1, *size, buf_size);
+    if (buf_size  < size) {
+        xen_pv_printf(&xen_9pfs->xendev, 0, "Xen 9pfs request type %d"
+                "needs %zu bytes, buffer has %zu\n", pdu->id, size,
+                buf_size);
         xen_be_set_state(&xen_9pfs->xendev, XenbusStateClosing);
         xen_9pfs_disconnect(&xen_9pfs->xendev);
     }
-    if (buf_size  < *size) {
-        *size = buf_size;
-    }
 
     *piov = ring->sg;
     *pniov = num;
-- 
2.17.1

[PATCH 15/77] xen/9pfs: yield when there isn't enough room on the ring

[Michael Roth]

From: Stefano Stabellini <stefano.stabellini@xilinx.com>

Instead of truncating replies, which is problematic, wait until the
client reads more data and frees bytes on the reply ring.

Do that by calling qemu_coroutine_yield(). The corresponding
qemu_coroutine_enter_if_inactive() is called from xen_9pfs_bh upon
receiving the next notification from the client.

We need to be careful to avoid races in case xen_9pfs_bh and the
coroutine are both active at the same time. In xen_9pfs_bh, wait until
either the critical section is over (ring->co == NULL) or until the
coroutine becomes inactive (qemu_coroutine_yield() was called) before
continuing. Then, simply wake up the coroutine if it is inactive.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20200521192627.15259-2-sstabellini@kernel.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit a4c4d462729466c4756bac8a0a8d77eb63b21ef7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/9pfs/xen-9p-backend.c | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/hw/9pfs/xen-9p-backend.c b/hw/9pfs/xen-9p-backend.c
index fc197f6c8a..3c84c86ab8 100644
--- a/hw/9pfs/xen-9p-backend.c
+++ b/hw/9pfs/xen-9p-backend.c
@@ -37,6 +37,7 @@ typedef struct Xen9pfsRing {
 
     struct iovec *sg;
     QEMUBH *bh;
+    Coroutine *co;
 
     /* local copies, so that we can read/write PDU data directly from
      * the ring */
@@ -198,16 +199,20 @@ static void xen_9pfs_init_in_iov_from_pdu(V9fsPDU *pdu,
     g_free(ring->sg);
 
     ring->sg = g_new0(struct iovec, 2);
-    xen_9pfs_in_sg(ring, ring->sg, &num, pdu->idx, size);
+    ring->co = qemu_coroutine_self();
+    /* make sure other threads see ring->co changes before continuing */
+    smp_wmb();
 
+again:
+    xen_9pfs_in_sg(ring, ring->sg, &num, pdu->idx, size);
     buf_size = iov_size(ring->sg, num);
     if (buf_size  < size) {
-        xen_pv_printf(&xen_9pfs->xendev, 0, "Xen 9pfs request type %d"
-                "needs %zu bytes, buffer has %zu\n", pdu->id, size,
-                buf_size);
-        xen_be_set_state(&xen_9pfs->xendev, XenbusStateClosing);
-        xen_9pfs_disconnect(&xen_9pfs->xendev);
+        qemu_coroutine_yield();
+        goto again;
     }
+    ring->co = NULL;
+    /* make sure other threads see ring->co changes before continuing */
+    smp_wmb();
 
     *piov = ring->sg;
     *pniov = num;
@@ -292,6 +297,20 @@ static int xen_9pfs_receive(Xen9pfsRing *ring)
 static void xen_9pfs_bh(void *opaque)
 {
     Xen9pfsRing *ring = opaque;
+    bool wait;
+
+again:
+    wait = ring->co != NULL && qemu_coroutine_entered(ring->co);
+    /* paired with the smb_wmb barriers in xen_9pfs_init_in_iov_from_pdu */
+    smp_rmb();
+    if (wait) {
+        cpu_relax();
+        goto again;
+    }
+
+    if (ring->co != NULL) {
+        qemu_coroutine_enter_if_inactive(ring->co);
+    }
     xen_9pfs_receive(ring);
 }
 
-- 
2.17.1

[PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13800)

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit a98610c429d52db0937c1e48659428929835c455)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/ati.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 58ec8291d4..9228f1b242 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
             if (idx <= s->vga.vram_size - size) {
                 val = ldn_le_p(s->vga.vram_ptr + idx, size);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
             if (idx <= s->vga.vram_size - size) {
                 stn_le_p(s->vga.vram_ptr + idx, size, data);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
-- 
2.17.1

[PATCH 17/77] es1370: check total frame count against current frame

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.

    int cnt = d->frame_cnt >> 16;
    int size = d->frame_cnt & 0xffff;

if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 369ff955a8497988d079c4e3fa1e93c2570c1c69)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/audio/es1370.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 89c4dabcd4..5f8a83ff56 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
     int csc_bytes = (csc + 1) << d->shift;
     int cnt = d->frame_cnt >> 16;
     int size = d->frame_cnt & 0xffff;
+    if (size < cnt) {
+        return;
+    }
     int left = ((size - cnt + 1) << 2) + d->leftover;
     int transferred = 0;
     int temp = MIN (max, MIN (left, csc_bytes));
@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
     addr += (cnt << 2) + d->leftover;
 
     if (index == ADC_CHANNEL) {
-        while (temp) {
+        while (temp > 0) {
             int acquired, to_copy;
 
             to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
     else {
         SWVoiceOut *voice = s->dac_voice[index];
 
-        while (temp) {
+        while (temp > 0) {
             int copied, to_copy;
 
             to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
-- 
2.17.1

[PATCH 18/77] Fix tulip breakage

[Michael Roth]

From: Helge Deller <deller@gmx.de>

The tulip network driver in a qemu-system-hppa emulation is broken in
the sense that bigger network packages aren't received any longer and
thus even running e.g. "apt update" inside the VM fails.

The breakage was introduced by commit 8ffb7265af ("check frame size and
r/w data length") which added checks to prevent accesses outside of the
rx/tx buffers.

But the new checks were implemented wrong. The variable rx_frame_len
counts backwards, from rx_frame_size down to zero, and the variable len
is never bigger than rx_frame_len, so accesses just can't happen and the
checks are unnecessary.
On the contrary the checks now prevented bigger packages to be moved
into the rx buffers.

This patch reverts the wrong checks and were sucessfully tested with a
qemu-system-hppa emulation.

Fixes: 8ffb7265af ("check frame size and r/w data length")
Buglink: https://bugs.launchpad.net/bugs/1874539
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/tulip.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 1295f51d07..44db56447c 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
             len = s->rx_frame_len;
         }
 
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
             len = s->rx_frame_len;
         }
 
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;
-- 
2.17.1

[PATCH 19/77] iotests/283: Use consistent size for source and target

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The test case forgot to specify the null-co size for the target node.
When adding a check to backup that both sizes match, this would fail
because of the size mismatch and not the behaviour that the test really
wanted to test.

Fixes: a541fcc27c98b96da187c7d4573f3270f3ddd283
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200430142755.315494-2-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 813cc2545b82409fd504509f0ba2e96fab6edb9e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/283     | 6 +++++-
 tests/qemu-iotests/283.out | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
index 55b7cff953..44de76effe 100644
--- a/tests/qemu-iotests/283
+++ b/tests/qemu-iotests/283
@@ -72,7 +72,11 @@ to check that crash is fixed :)
 vm = iotests.VM()
 vm.launch()
 
-vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'})
+vm.qmp_log('blockdev-add', **{
+    'node-name': 'target',
+    'driver': 'null-co',
+    'size': size,
+})
 
 vm.qmp_log('blockdev-add', **{
     'node-name': 'source',
diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out
index daaf5828c1..d8cff22cc1 100644
--- a/tests/qemu-iotests/283.out
+++ b/tests/qemu-iotests/283.out
@@ -1,4 +1,4 @@
-{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}}
+{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target", "size": 1048576}}
 {"return": {}}
 {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}}
 {"return": {}}
-- 
2.17.1

[PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Make it possible to specify the RLIMIT_NOFILE on the command-line.
Users running multiple virtiofsd processes should allocate a certain
number to each process so that the system-wide limit can never be
exhausted.

When this option is set to 0 the rlimit is left at its current value.
This is useful when a management tool wants to configure the rlimit
itself.

The default behavior remains unchanged: try to set the limit to
1,000,000 file descriptors if the current rlimit is lower.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200501140644.220940-2-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 6dbb716877728ce4eb51619885ef6ef4ada9565f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tools/virtiofsd/fuse_lowlevel.h  |  1 +
 tools/virtiofsd/helper.c         | 23 +++++++++++++++++++++++
 tools/virtiofsd/passthrough_ll.c | 22 ++++++++--------------
 3 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/tools/virtiofsd/fuse_lowlevel.h b/tools/virtiofsd/fuse_lowlevel.h
index 8f6d705b5c..562fd5241e 100644
--- a/tools/virtiofsd/fuse_lowlevel.h
+++ b/tools/virtiofsd/fuse_lowlevel.h
@@ -1777,6 +1777,7 @@ struct fuse_cmdline_opts {
     int syslog;
     int log_level;
     unsigned int max_idle_threads;
+    unsigned long rlimit_nofile;
 };
 
 /**
diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
index 819c2bc13c..dc59f38af0 100644
--- a/tools/virtiofsd/helper.c
+++ b/tools/virtiofsd/helper.c
@@ -23,6 +23,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/param.h>
+#include <sys/time.h>
+#include <sys/resource.h>
 #include <unistd.h>
 
 #define FUSE_HELPER_OPT(t, p)                       \
@@ -53,6 +55,7 @@ static const struct fuse_opt fuse_helper_opts[] = {
     FUSE_HELPER_OPT("subtype=", nodefault_subtype),
     FUSE_OPT_KEY("subtype=", FUSE_OPT_KEY_KEEP),
     FUSE_HELPER_OPT("max_idle_threads=%u", max_idle_threads),
+    FUSE_HELPER_OPT("--rlimit-nofile=%lu", rlimit_nofile),
     FUSE_HELPER_OPT("--syslog", syslog),
     FUSE_HELPER_OPT_VALUE("log_level=debug", log_level, FUSE_LOG_DEBUG),
     FUSE_HELPER_OPT_VALUE("log_level=info", log_level, FUSE_LOG_INFO),
@@ -171,6 +174,9 @@ void fuse_cmdline_help(void)
            "                               default: no_writeback\n"
            "    -o xattr|no_xattr          enable/disable xattr\n"
            "                               default: no_xattr\n"
+           "    --rlimit-nofile=<num>      set maximum number of file descriptors\n"
+           "                               (0 leaves rlimit unchanged)\n"
+           "                               default: 1,000,000 if the current rlimit is lower\n"
            );
 }
 
@@ -191,11 +197,28 @@ static int fuse_helper_opt_proc(void *data, const char *arg, int key,
     }
 }
 
+static unsigned long get_default_rlimit_nofile(void)
+{
+    rlim_t max_fds = 1000000; /* our default RLIMIT_NOFILE target */
+    struct rlimit rlim;
+
+    if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
+        fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n");
+        exit(1);
+    }
+
+    if (rlim.rlim_cur >= max_fds) {
+        return 0; /* we have more fds available than required! */
+    }
+    return max_fds;
+}
+
 int fuse_parse_cmdline(struct fuse_args *args, struct fuse_cmdline_opts *opts)
 {
     memset(opts, 0, sizeof(struct fuse_cmdline_opts));
 
     opts->max_idle_threads = 10;
+    opts->rlimit_nofile = get_default_rlimit_nofile();
     opts->foreground = 1;
 
     if (fuse_opt_parse(args, opts, fuse_helper_opts, fuse_helper_opt_proc) ==
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 4c35c95b25..f7b9c1d20c 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -2707,24 +2707,18 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
     setup_seccomp(enable_syslog);
 }
 
-/* Raise the maximum number of open file descriptors */
-static void setup_nofile_rlimit(void)
+/* Set the maximum number of open file descriptors */
+static void setup_nofile_rlimit(unsigned long rlimit_nofile)
 {
-    const rlim_t max_fds = 1000000;
-    struct rlimit rlim;
-
-    if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
-        fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n");
-        exit(1);
-    }
+    struct rlimit rlim = {
+        .rlim_cur = rlimit_nofile,
+        .rlim_max = rlimit_nofile,
+    };
 
-    if (rlim.rlim_cur >= max_fds) {
+    if (rlimit_nofile == 0) {
         return; /* nothing to do */
     }
 
-    rlim.rlim_cur = max_fds;
-    rlim.rlim_max = max_fds;
-
     if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
         /* Ignore SELinux denials */
         if (errno == EPERM) {
@@ -2977,7 +2971,7 @@ int main(int argc, char *argv[])
 
     fuse_daemonize(opts.foreground);
 
-    setup_nofile_rlimit();
+    setup_nofile_rlimit(opts.rlimit_nofile);
 
     /* Must be before sandbox since it wants /proc */
     setup_capng();
-- 
2.17.1

[PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The system-wide fs.file-max sysctl value determines how many files can
be open.  It defaults to a value calculated based on the machine's RAM
size.  Previously virtiofsd would try to set RLIMIT_NOFILE to 1,000,000
and this allowed the FUSE client to exhaust the number of open files
system-wide on Linux hosts with less than 10 GB of RAM!

Take fs.file-max into account when choosing the default RLIMIT_NOFILE
value.

Fixes: CVE-2020-10717
Reported-by: Yuval Avrahami <yavrahami@paloaltonetworks.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200501140644.220940-3-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 8c1d353d107b4fc344e27f2f08ea7fa25de2eea2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tools/virtiofsd/helper.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
index dc59f38af0..00a1ef666a 100644
--- a/tools/virtiofsd/helper.c
+++ b/tools/virtiofsd/helper.c
@@ -176,7 +176,8 @@ void fuse_cmdline_help(void)
            "                               default: no_xattr\n"
            "    --rlimit-nofile=<num>      set maximum number of file descriptors\n"
            "                               (0 leaves rlimit unchanged)\n"
-           "                               default: 1,000,000 if the current rlimit is lower\n"
+           "                               default: min(1000000, fs.file-max - 16384)\n"
+           "                                        if the current rlimit is lower\n"
            );
 }
 
@@ -199,9 +200,32 @@ static int fuse_helper_opt_proc(void *data, const char *arg, int key,
 
 static unsigned long get_default_rlimit_nofile(void)
 {
+    g_autofree gchar *file_max_str = NULL;
+    const rlim_t reserved_fds = 16384; /* leave at least this many fds free */
     rlim_t max_fds = 1000000; /* our default RLIMIT_NOFILE target */
+    rlim_t file_max;
     struct rlimit rlim;
 
+    /*
+     * Reduce max_fds below the system-wide maximum, if necessary.  This
+     * ensures there are fds available for other processes so we don't
+     * cause resource exhaustion.
+     */
+    if (!g_file_get_contents("/proc/sys/fs/file-max", &file_max_str,
+                             NULL, NULL)) {
+        fuse_log(FUSE_LOG_ERR, "can't read /proc/sys/fs/file-max\n");
+        exit(1);
+    }
+    file_max = g_ascii_strtoull(file_max_str, NULL, 10);
+    if (file_max < 2 * reserved_fds) {
+        fuse_log(FUSE_LOG_ERR,
+                 "The fs.file-max sysctl is too low (%lu) to allow a "
+                 "reasonable number of open files.\n",
+                 (unsigned long)file_max);
+        exit(1);
+    }
+    max_fds = MIN(file_max - reserved_fds, max_fds);
+
     if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
         fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n");
         exit(1);
-- 
2.17.1

[PATCH 22/77] net: use peer when purging queue in qemu_flush_or_purge_queue_packets()

[Michael Roth]

From: Jason Wang <jasowang@redhat.com>

The sender of packet will be checked in the qemu_net_queue_purge() but
we use NetClientState not its peer when trying to purge the incoming
queue in qemu_flush_or_purge_packets(). This will trigger the assert
in virtio_net_reset since we can't pass the sender check:

hw/net/virtio-net.c:533: void virtio_net_reset(VirtIODevice *): Assertion
`!virtio_net_get_subqueue(nc)->async_tx.elem' failed.
#9 0x55a33fa31b78 in virtio_net_reset hw/net/virtio-net.c:533:13
#10 0x55a33fc88412 in virtio_reset hw/virtio/virtio.c:1919:9
#11 0x55a341d82764 in virtio_bus_reset hw/virtio/virtio-bus.c:95:9
#12 0x55a341dba2de in virtio_pci_reset hw/virtio/virtio-pci.c:1824:5
#13 0x55a341db3e02 in virtio_pci_common_write hw/virtio/virtio-pci.c:1252:13
#14 0x55a33f62117b in memory_region_write_accessor memory.c:496:5
#15 0x55a33f6205e4 in access_with_adjusted_size memory.c:557:18
#16 0x55a33f61e177 in memory_region_dispatch_write memory.c:1488:16

Reproducer:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg701914.html

Fix by using the peer.

Reported-by: "Alexander Bulekov" <alxndr@bu.edu>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: ca77d85e1dbf9 ("net: complete all queued packets on VM stop")
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 5fe19fb81839ea42b592b409f725349cf3c73551)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index cbeeeadff8..4c62b10acd 100644
--- a/net/net.c
+++ b/net/net.c
@@ -610,7 +610,7 @@ void qemu_flush_or_purge_queued_packets(NetClientState *nc, bool purge)
         qemu_notify_event();
     } else if (purge) {
         /* Unable to empty the queue, purge remaining packets */
-        qemu_net_queue_purge(nc->incoming_queue, nc);
+        qemu_net_queue_purge(nc->incoming_queue, nc->peer);
     }
 }
 
-- 
2.17.1

[PATCH 23/77] KVM: x86: believe what KVM says about WAITPKG

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

Currently, QEMU is overriding KVM_GET_SUPPORTED_CPUID's answer for
the WAITPKG bit depending on the "-overcommit cpu-pm" setting.  This is a
bad idea because it does not even check if the host supports it, but it
can be done in x86_cpu_realizefn just like we do for the MONITOR bit.

This patch moves it there, while making it conditional on host
support for the related UMWAIT MSR.

Cc: qemu-stable@nongnu.org
Reported-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e1e43813e7908b063938a3d01f172f88f6190c80)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target/i386/cpu.c      |  3 +++
 target/i386/kvm.c      | 11 +++++------
 target/i386/kvm_i386.h |  1 +
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 90ffc5f3b1..471db0724f 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -6491,6 +6491,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
             host_cpuid(5, 0, &cpu->mwait.eax, &cpu->mwait.ebx,
                        &cpu->mwait.ecx, &cpu->mwait.edx);
             env->features[FEAT_1_ECX] |= CPUID_EXT_MONITOR;
+            if (kvm_enabled() && kvm_has_waitpkg()) {
+                env->features[FEAT_7_0_ECX] |= CPUID_7_0_ECX_WAITPKG;
+            }
         }
         if (kvm_enabled() && cpu->ucode_rev == 0) {
             cpu->ucode_rev = kvm_arch_get_supported_msr_feature(kvm_state,
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 4901c6dd74..f9c873bcad 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -407,12 +407,6 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
         if (host_tsx_blacklisted()) {
             ret &= ~(CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_HLE);
         }
-    } else if (function == 7 && index == 0 && reg == R_ECX) {
-        if (enable_cpu_pm) {
-            ret |= CPUID_7_0_ECX_WAITPKG;
-        } else {
-            ret &= ~CPUID_7_0_ECX_WAITPKG;
-        }
     } else if (function == 7 && index == 0 && reg == R_EDX) {
         /*
          * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts.
@@ -4678,3 +4672,8 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
 {
     abort();
 }
+
+bool kvm_has_waitpkg(void)
+{
+    return has_msr_umwait;
+}
diff --git a/target/i386/kvm_i386.h b/target/i386/kvm_i386.h
index 00bde7acaf..064b8798a2 100644
--- a/target/i386/kvm_i386.h
+++ b/target/i386/kvm_i386.h
@@ -44,6 +44,7 @@ void kvm_put_apicbase(X86CPU *cpu, uint64_t value);
 
 bool kvm_enable_x2apic(void);
 bool kvm_has_x2apic_api(void);
+bool kvm_has_waitpkg(void);
 
 bool kvm_hv_vpindex_settable(void);
 
-- 
2.17.1

[PATCH 24/77] aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy()

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The io_uring file descriptor monitoring implementation has an internal
list of fd handlers that are pending submission to io_uring.
fdmon_io_uring_destroy() deletes all fd handlers on the list.

Don't delete fd handlers directly in fdmon_io_uring_destroy() for two
reasons:
1. This duplicates the aio-posix.c AioHandler deletion code and could
   become outdated if the struct changes.
2. Only handlers with the FDMON_IO_URING_REMOVE flag set are safe to
   remove. If the flag is not set then something still has a pointer to
   the fd handler. Let aio-posix.c and its user worry about that. In
   practice this isn't an issue because fdmon_io_uring_destroy() is only
   called when shutting down so all users have removed their fd
   handlers, but the next patch will need this!

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
Message-id: 20200511183630.279750-2-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit de137e44f75d9868f5b548638081850f6ac771f2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 util/aio-posix.c      |  1 +
 util/fdmon-io_uring.c | 13 ++++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/util/aio-posix.c b/util/aio-posix.c
index c3613d299e..8af334ab19 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -679,6 +679,7 @@ void aio_context_destroy(AioContext *ctx)
 {
     fdmon_io_uring_destroy(ctx);
     fdmon_epoll_disable(ctx);
+    aio_free_deleted_handlers(ctx);
 }
 
 void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns,
diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
index d5a80ed6fb..1d14177df0 100644
--- a/util/fdmon-io_uring.c
+++ b/util/fdmon-io_uring.c
@@ -342,11 +342,18 @@ void fdmon_io_uring_destroy(AioContext *ctx)
 
         io_uring_queue_exit(&ctx->fdmon_io_uring);
 
-        /* No need to submit these anymore, just free them. */
+        /* Move handlers due to be removed onto the deleted list */
         while ((node = QSLIST_FIRST_RCU(&ctx->submit_list))) {
+            unsigned flags = atomic_fetch_and(&node->flags,
+                    ~(FDMON_IO_URING_PENDING |
+                      FDMON_IO_URING_ADD |
+                      FDMON_IO_URING_REMOVE));
+
+            if (flags & FDMON_IO_URING_REMOVE) {
+                QLIST_INSERT_HEAD_RCU(&ctx->deleted_aio_handlers, node, node_deleted);
+            }
+
             QSLIST_REMOVE_HEAD_RCU(&ctx->submit_list, node_submitted);
-            QLIST_REMOVE(node, node);
-            g_free(node);
         }
 
         ctx->fdmon_ops = &fdmon_poll_ops;
-- 
2.17.1

[PATCH 25/77] aio-posix: disable fdmon-io_uring when GSource is used

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The glib event loop does not call fdmon_io_uring_wait() so fd handlers
waiting to be submitted build up in the list. There is no benefit is
using io_uring when the glib GSource is being used, so disable it
instead of implementing a more complex fix.

This fixes a memory leak where AioHandlers would build up and increasing
amounts of CPU time were spent iterating them in aio_pending(). The
symptom is that guests become slow when QEMU is built with io_uring
support.

Buglink: https://bugs.launchpad.net/qemu/+bug/1877716
Fixes: 73fd282e7b6dd4e4ea1c3bbb3d302c8db51e4ccf ("aio-posix: add io_uring fd monitoring implementation")
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
Message-id: 20200511183630.279750-3-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit ba607ca8bff4d2c2062902f8355657c865ac7c29)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/block/aio.h |  3 +++
 util/aio-posix.c    | 12 ++++++++++++
 util/aio-win32.c    |  4 ++++
 util/async.c        |  1 +
 4 files changed, 20 insertions(+)

diff --git a/include/block/aio.h b/include/block/aio.h
index 62ed954344..b2f703fa3f 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -701,6 +701,9 @@ void aio_context_setup(AioContext *ctx);
  */
 void aio_context_destroy(AioContext *ctx);
 
+/* Used internally, do not call outside AioContext code */
+void aio_context_use_g_source(AioContext *ctx);
+
 /**
  * aio_context_set_poll_params:
  * @ctx: the aio context
diff --git a/util/aio-posix.c b/util/aio-posix.c
index 8af334ab19..1b2a3af65b 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -682,6 +682,18 @@ void aio_context_destroy(AioContext *ctx)
     aio_free_deleted_handlers(ctx);
 }
 
+void aio_context_use_g_source(AioContext *ctx)
+{
+    /*
+     * Disable io_uring when the glib main loop is used because it doesn't
+     * support mixed glib/aio_poll() usage. It relies on aio_poll() being
+     * called regularly so that changes to the monitored file descriptors are
+     * submitted, otherwise a list of pending fd handlers builds up.
+     */
+    fdmon_io_uring_destroy(ctx);
+    aio_free_deleted_handlers(ctx);
+}
+
 void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns,
                                  int64_t grow, int64_t shrink, Error **errp)
 {
diff --git a/util/aio-win32.c b/util/aio-win32.c
index 729d533faf..953c56ab48 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -414,6 +414,10 @@ void aio_context_destroy(AioContext *ctx)
 {
 }
 
+void aio_context_use_g_source(AioContext *ctx)
+{
+}
+
 void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns,
                                  int64_t grow, int64_t shrink, Error **errp)
 {
diff --git a/util/async.c b/util/async.c
index 3165a28f2f..1319eee3bc 100644
--- a/util/async.c
+++ b/util/async.c
@@ -362,6 +362,7 @@ static GSourceFuncs aio_source_funcs = {
 
 GSource *aio_get_g_source(AioContext *ctx)
 {
+    aio_context_use_g_source(ctx);
     g_source_ref(&ctx->source);
     return &ctx->source;
 }
-- 
2.17.1

[PATCH 26/77] linux-user/strace.list: fix epoll_create{, 1} -strace output

[Michael Roth]

From: Sergei Trofimovich <slyfox@gentoo.org>

Fix syscall name and parameters priinter.

Before the change:

```
$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
...
1274697 %s(%d)(2097152,274903156744,274903156760,274905840712,274877908880,274903235616) = 3
1274697 exit_group(0)
```

After the change:

```
$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
...
1273719 epoll_create1(2097152) = 3
1273719 exit_group(0)
```

Fixes: 9cbc0578cb6 ("Improve output of various syscalls")
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
CC: Riku Voipio <riku.voipio@iki.fi>
CC: Laurent Vivier <laurent@vivier.eu>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200416175957.1274882-1-slyfox@gentoo.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit fd568660b7ae9b9e45cbb616acc91ae4c065c32d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/strace.list | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux-user/strace.list b/linux-user/strace.list
index d49a1e92a8..9281c0a758 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -125,10 +125,10 @@
 { TARGET_NR_dup3, "dup3" , "%s(%d,%d,%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_epoll_create
-{ TARGET_NR_epoll_create, "%s(%d)", NULL, NULL, NULL },
+{ TARGET_NR_epoll_create, "epoll_create", "%s(%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_epoll_create1
-{ TARGET_NR_epoll_create1, "%s(%d)", NULL, NULL, NULL },
+{ TARGET_NR_epoll_create1, "epoll_create1", "%s(%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_epoll_ctl
 { TARGET_NR_epoll_ctl, "epoll_ctl" , NULL, NULL, NULL },
-- 
2.17.1

[PATCH 27/77] libqos: usb-hcd-ehci: use 32-bit write for config register

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

The memory region ops have min_access_size == 4 so obey it.

Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qtest/usb-hcd-ehci-test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/qtest/usb-hcd-ehci-test.c b/tests/qtest/usb-hcd-ehci-test.c
index 5251d539e9..c51e8bb223 100644
--- a/tests/qtest/usb-hcd-ehci-test.c
+++ b/tests/qtest/usb-hcd-ehci-test.c
@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void)
 static void pci_ehci_config(void)
 {
     /* hands over all ports from companion uhci to ehci */
-    qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1);
+    qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1);
 }
 
 static void pci_uhci_port_2(void)
-- 
2.17.1

[PATCH 28/77] libqos: pci-pc: use 32-bit write for EJ register

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

The memory region ops have min_access_size == 4 so obey it.

Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qtest/libqos/pci-pc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/qtest/libqos/pci-pc.c b/tests/qtest/libqos/pci-pc.c
index 0bc591d1da..3bb2eb3ba8 100644
--- a/tests/qtest/libqos/pci-pc.c
+++ b/tests/qtest/libqos/pci-pc.c
@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot)
     g_assert(!qdict_haskey(response, "error"));
     qobject_unref(response);
 
-    qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
+    qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
 
     qtest_qmp_eventwait(qts, "DEVICE_DELETED");
 }
-- 
2.17.1

[PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.

This is what devices seem to assume.

However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.

Naturally, this breaks a bunch of devices.

Revert to the documented behaviour.

Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.

Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 memory.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/memory.c b/memory.c
index 601b749906..e31aed6446 100644
--- a/memory.c
+++ b/memory.c
@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
                                 bool is_write,
                                 MemTxAttrs attrs)
 {
-    int access_size_min, access_size_max;
-    int access_size, i;
-
-    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+    if (mr->ops->valid.accepts
+        && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
         return false;
     }
 
-    if (!mr->ops->valid.accepts) {
-        return true;
-    }
-
-    access_size_min = mr->ops->valid.min_access_size;
-    if (!mr->ops->valid.min_access_size) {
-        access_size_min = 1;
+    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+        return false;
     }
 
-    access_size_max = mr->ops->valid.max_access_size;
+    /* Treat zero as compatibility all valid */
     if (!mr->ops->valid.max_access_size) {
-        access_size_max = 4;
+        return true;
     }
 
-    access_size = MAX(MIN(size, access_size_max), access_size_min);
-    for (i = 0; i < size; i += access_size) {
-        if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
-                                    is_write, attrs)) {
-            return false;
-        }
+    if (size > mr->ops->valid.max_access_size
+        || size < mr->ops->valid.min_access_size) {
+        return false;
     }
-
     return true;
 }
 
-- 
2.17.1

[PATCH 30/77] hw/riscv: Allow 64 bit access to SiFive CLINT

[Michael Roth]

From: Alistair Francis <alistair.francis@wdc.com>

Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
"memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
accesses to the CLINT and QEMU would trigger a fault. Fix this failure
by allowing 8 byte accesses.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com>
(cherry picked from commit 70b78d4e71494c90d2ccb40381336bc9b9a22f79)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/riscv/sifive_clint.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
index e933d35092..a2a4b7d752 100644
--- a/hw/riscv/sifive_clint.c
+++ b/hw/riscv/sifive_clint.c
@@ -180,7 +180,7 @@ static const MemoryRegionOps sifive_clint_ops = {
     .endianness = DEVICE_LITTLE_ENDIAN,
     .valid = {
         .min_access_size = 4,
-        .max_access_size = 4
+        .max_access_size = 8
     }
 };
 
-- 
2.17.1

[PATCH 31/77] xhci: fix valid.max_access_size to access address registers

[Michael Roth]

From: Laurent Vivier <lvivier@redhat.com>

QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
64-bit mode access in "runtime" and "operational" MemoryRegionOps.

Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.

XHCI specs:
"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
should write 64-bit registers using only Qword accesses.  If a
system is incapable of issuing Qword accesses, then writes to the
64-bit address fields shall be performed using 2 Dword accesses;
low Dword-first, high-Dword second.  If the xHC supports 32-bit
addressing (AC64 = ‘0’), then the high Dword of registers containing
64-bit address fields are unused and software should write addresses
using only Dword accesses"

The problem has been detected with SLOF, as linux kernel always accesses
registers using 32-bit access even if AC64 is set and revealed by
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")

Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 20200721083322.90651-1-lvivier@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index b330e36fe6..67a18fe2b6 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
     .read = xhci_oper_read,
     .write = xhci_oper_write,
     .valid.min_access_size = 4,
-    .valid.max_access_size = 4,
+    .valid.max_access_size = sizeof(dma_addr_t),
     .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
     .read = xhci_runtime_read,
     .write = xhci_runtime_write,
     .valid.min_access_size = 4,
-    .valid.max_access_size = 4,
+    .valid.max_access_size = sizeof(dma_addr_t),
     .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
-- 
2.17.1

[PATCH 32/77] acpi: accept byte and word access to core ACPI registers

[Michael Roth]

From: Michael Tokarev <mjt@tls.msk.ru>

All ISA registers should be accessible as bytes, words or dwords
(if wide enough).  Fix the access constraints for acpi-pm-evt,
acpi-pm-tmr & acpi-cnt registers.

Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
Fixes: afafe4bbe0 (apci: switch cnt to memory api)
Fixes: 77d58b1e47 (apci: switch timer to memory api)
Fixes: b5a7c024d2 (apci: switch evt to memory api)
Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
Buglink: https://bugs.debian.org/964793
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
BugLink: https://bugs.launchpad.net/bugs/1886318
Reported-By: Simon John <git@the-jedi.co.uk>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/acpi/core.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 45cbed49ab..d85052c34a 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
 static const MemoryRegionOps acpi_pm_evt_ops = {
     .read = acpi_pm_evt_read,
     .write = acpi_pm_evt_write,
-    .valid.min_access_size = 2,
+    .impl.min_access_size = 2,
+    .valid.min_access_size = 1,
     .valid.max_access_size = 2,
     .endianness = DEVICE_LITTLE_ENDIAN,
 };
@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
 static const MemoryRegionOps acpi_pm_tmr_ops = {
     .read = acpi_pm_tmr_read,
     .write = acpi_pm_tmr_write,
-    .valid.min_access_size = 4,
+    .impl.min_access_size = 4,
+    .valid.min_access_size = 1,
     .valid.max_access_size = 4,
     .endianness = DEVICE_LITTLE_ENDIAN,
 };
@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
 static const MemoryRegionOps acpi_pm_cnt_ops = {
     .read = acpi_pm_cnt_read,
     .write = acpi_pm_cnt_write,
-    .valid.min_access_size = 2,
+    .impl.min_access_size = 2,
+    .valid.min_access_size = 1,
     .valid.max_access_size = 2,
     .endianness = DEVICE_LITTLE_ENDIAN,
 };
-- 
2.17.1

[PATCH 33/77] hw/display/artist: Unbreak size mismatch memory accesses

[Michael Roth]

From: Helge Deller <deller@gmx.de>

Commit 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes
in memory_region_access_valid") broke the artist driver in a way that
the dtwm window manager on HP-UX rendered wrong.

Fixes: 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit e0cf02ce680f11893aca9642e76d6ae68b9375af)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/artist.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/hw/display/artist.c b/hw/display/artist.c
index 753dbb9a77..d7bce918b8 100644
--- a/hw/display/artist.c
+++ b/hw/display/artist.c
@@ -1199,20 +1199,16 @@ static const MemoryRegionOps artist_reg_ops = {
     .read = artist_reg_read,
     .write = artist_reg_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
-    .valid = {
-        .min_access_size = 1,
-        .max_access_size = 4,
-    },
+    .impl.min_access_size = 1,
+    .impl.max_access_size = 4,
 };
 
 static const MemoryRegionOps artist_vram_ops = {
     .read = artist_vram_read,
     .write = artist_vram_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
-    .valid = {
-        .min_access_size = 1,
-        .max_access_size = 4,
-    },
+    .impl.min_access_size = 1,
+    .impl.max_access_size = 4,
 };
 
 static void artist_draw_cursor(ARTISTState *s)
-- 
2.17.1

[PATCH 34/77] hw/net/e1000e: Do not abort() on invalid PSRCTL register value

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

libFuzzer found using 'qemu-system-i386 -M q35':

qemu: hardware error: e1000e: PSRCTL.BSIZE0 cannot be zero
CPU #0:
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000663
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
SS =0000 00000000 0000ffff 00009300
DS =0000 00000000 0000ffff 00009300
FS =0000 00000000 0000ffff 00009300
GS =0000 00000000 0000ffff 00009300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT=     00000000 0000ffff
IDT=     00000000 0000ffff
CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
EFER=0000000000000000
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
==1988== ERROR: libFuzzer: deadly signal
    #6 0x7fae4d3ea894 in __GI_abort (/lib64/libc.so.6+0x22894)
    #7 0x563f4cc59a1d in hw_error (qemu-fuzz-i386+0xe8ca1d)
    #8 0x563f4d7c93f2 in e1000e_set_psrctl (qemu-fuzz-i386+0x19fc3f2)
    #9 0x563f4d7b798f in e1000e_core_write (qemu-fuzz-i386+0x19ea98f)
    #10 0x563f4d7afc46 in e1000e_mmio_write (qemu-fuzz-i386+0x19e2c46)
    #11 0x563f4cc9a0a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
    #12 0x563f4cc99c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
    #13 0x563f4cc987b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

It simply sent the following 2 I/O command to the e1000e
PCI BAR #2 I/O region:

  writew 0x0100 0x0c00 # RCTL =   E1000_RCTL_DTYP_MASK
  writeb 0x2170 0x00   # PSRCTL = 0

2813 static void
2814 e1000e_set_psrctl(E1000ECore *core, int index, uint32_t val)
2815 {
2816     if (core->mac[RCTL] & E1000_RCTL_DTYP_MASK) {
2817
2818         if ((val & E1000_PSRCTL_BSIZE0_MASK) == 0) {
2819             hw_error("e1000e: PSRCTL.BSIZE0 cannot be zero");
2820         }

Instead of calling hw_error() which abort the process (it is
meant for CPU fatal error condition, not for device logging),
log the invalid request with qemu_log_mask(LOG_GUEST_ERROR)
and return, ignoring the request.

Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit fda43b1204aecd1db158b3255c591d227fbdd629)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/e1000e_core.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index d5676871fa..bcd186cac5 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -34,9 +34,9 @@
 */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "net/net.h"
 #include "net/tap.h"
-#include "hw/hw.h"
 #include "hw/pci/msi.h"
 #include "hw/pci/msix.h"
 #include "sysemu/runstate.h"
@@ -2816,11 +2816,15 @@ e1000e_set_psrctl(E1000ECore *core, int index, uint32_t val)
     if (core->mac[RCTL] & E1000_RCTL_DTYP_MASK) {
 
         if ((val & E1000_PSRCTL_BSIZE0_MASK) == 0) {
-            hw_error("e1000e: PSRCTL.BSIZE0 cannot be zero");
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "e1000e: PSRCTL.BSIZE0 cannot be zero");
+            return;
         }
 
         if ((val & E1000_PSRCTL_BSIZE1_MASK) == 0) {
-            hw_error("e1000e: PSRCTL.BSIZE1 cannot be zero");
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "e1000e: PSRCTL.BSIZE1 cannot be zero");
+            return;
         }
     }
 
-- 
2.17.1

[PATCH 35/77] virtiofsd: Whitelist fchmod

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.

Said code path can be triggered for example as follows:

On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo

Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):

int main(int argc, char *argv[])
{
    capng_setpid(getpid());
    capng_clear(CAPNG_SELECT_BOTH);
    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
    capng_apply(CAPNG_SELECT_BOTH);

    ftruncate(open(argv[1], O_RDWR), 0);
}

This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().

(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200608093111.14942-1-mreitz@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 63659fe74e76f5c5285466f0c5cfbdca65b3688e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tools/virtiofsd/seccomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
index bd9e7b083c..3b1522acdd 100644
--- a/tools/virtiofsd/seccomp.c
+++ b/tools/virtiofsd/seccomp.c
@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
     SCMP_SYS(exit_group),
     SCMP_SYS(fallocate),
     SCMP_SYS(fchdir),
+    SCMP_SYS(fchmod),
     SCMP_SYS(fchmodat),
     SCMP_SYS(fchownat),
     SCMP_SYS(fcntl),
-- 
2.17.1

[PATCH 36/77] hw/audio/gus: Fix registers 32-bit access

[Michael Roth]

From: Allan Peramaki <aperamak@pp1.inet.fi>

Fix audio on software that accesses DRAM above 64k via register
peek/poke and some cases when more than 16 voices are used.

Cc: qemu-stable@nongnu.org
Fixes: 135f5ae1974c ("audio: GUSsample is int16_t")
Signed-off-by: Allan Peramaki <aperamak@pp1.inet.fi>
Tested-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200618103623.6031-1-philmd@redhat.com
Message-Id: <20200615201757.16868-1-aperamak@pp1.inet.fi>
[PMD: Removed unrelated style changes]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 586803455b3fa44d949ecd42cd9c87e5a6287aef)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/audio/gusemu_hal.c   | 2 +-
 hw/audio/gusemu_mixer.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/audio/gusemu_hal.c b/hw/audio/gusemu_hal.c
index ae40ca341c..5b9a14ee21 100644
--- a/hw/audio/gusemu_hal.c
+++ b/hw/audio/gusemu_hal.c
@@ -32,7 +32,7 @@
 
 #define GUSregb(position) (*            (gusptr+(position)))
 #define GUSregw(position) (*(uint16_t *) (gusptr+(position)))
-#define GUSregd(position) (*(uint16_t *)(gusptr+(position)))
+#define GUSregd(position) (*(uint32_t *)(gusptr + (position)))
 
 /* size given in bytes */
 unsigned int gus_read(GUSEmuState * state, int port, int size)
diff --git a/hw/audio/gusemu_mixer.c b/hw/audio/gusemu_mixer.c
index 00b9861b92..56300de77e 100644
--- a/hw/audio/gusemu_mixer.c
+++ b/hw/audio/gusemu_mixer.c
@@ -28,7 +28,7 @@
 
 #define GUSregb(position)  (*            (gusptr+(position)))
 #define GUSregw(position)  (*(uint16_t *) (gusptr+(position)))
-#define GUSregd(position)  (*(uint16_t *)(gusptr+(position)))
+#define GUSregd(position)  (*(uint32_t *)(gusptr + (position)))
 
 #define GUSvoice(position) (*(uint16_t *)(voiceptr+(position)))
 
-- 
2.17.1

[PATCH 37/77] net/virtio: Fix failover_replug_primary() return value regression

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Commit 150ab54aa6 "net/virtio: fix re-plugging of primary device"
fixed failover_replug_primary() to return false on failure.  Commit
5a0948d36c "net/virtio: Fix failover error handling crash bugs" broke
it again for hotplug_handler_plug() failure.  Unbreak it.

Commit 5a0948d36c4cbc1c5534afac6fee99de55245d12

Fixes: 5a0948d36c4cbc1c5534afac6fee99de55245d12
Cc: Jens Freimann <jfreimann@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Jens Freimann <jfreimann@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200630090351.1247703-2-armbru@redhat.com>
(cherry picked from commit ca72efccbe33373810341a0d8a10f5698b8fbc87)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index a46e3b37a7..e7e2c2acdb 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2828,7 +2828,7 @@ static bool failover_replug_primary(VirtIONet *n, Error **errp)
         if (err) {
             goto out;
         }
-        hotplug_handler_plug(hotplug_ctrl, n->primary_dev, errp);
+        hotplug_handler_plug(hotplug_ctrl, n->primary_dev, &err);
     }
 
 out:
-- 
2.17.1

[PATCH 38/77] error: Use error_reportf_err() where appropriate

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Replace

    error_report("...: %s", ..., error_get_pretty(err));

by

    error_reportf_err(err, "...: ", ...);

One of the replaced messages lacked a colon.  Add it.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200505101908.6207-6-armbru@redhat.com>
(cherry picked from commit 5217f1887a8041c51495fbd5d3f767d96a242000)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 chardev/char-socket.c | 5 +++--
 hw/sd/pxa2xx_mmci.c   | 4 ++--
 hw/sd/sd.c            | 4 ++--
 hw/usb/dev-mtp.c      | 9 +++++----
 qemu-nbd.c            | 7 +++----
 scsi/qemu-pr-helper.c | 4 ++--
 6 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 185fe38dda..e5ee685f8c 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -138,8 +138,9 @@ static void check_report_connect_error(Chardev *chr,
     SocketChardev *s = SOCKET_CHARDEV(chr);
 
     if (!s->connect_err_reported) {
-        error_report("Unable to connect character device %s: %s",
-                     chr->label, error_get_pretty(err));
+        error_reportf_err(err,
+                          "Unable to connect character device %s: ",
+                          chr->label);
         s->connect_err_reported = true;
     }
     qemu_chr_socket_restart_timer(chr);
diff --git a/hw/sd/pxa2xx_mmci.c b/hw/sd/pxa2xx_mmci.c
index 8f9ab0ec16..f9c50ddda5 100644
--- a/hw/sd/pxa2xx_mmci.c
+++ b/hw/sd/pxa2xx_mmci.c
@@ -497,12 +497,12 @@ PXA2xxMMCIState *pxa2xx_mmci_init(MemoryRegion *sysmem,
     carddev = qdev_create(qdev_get_child_bus(dev, "sd-bus"), TYPE_SD_CARD);
     qdev_prop_set_drive(carddev, "drive", blk, &err);
     if (err) {
-        error_report("failed to init SD card: %s", error_get_pretty(err));
+        error_reportf_err(err, "failed to init SD card: ");
         return NULL;
     }
     object_property_set_bool(OBJECT(carddev), true, "realized", &err);
     if (err) {
-        error_report("failed to init SD card: %s", error_get_pretty(err));
+        error_reportf_err(err, "failed to init SD card: ");
         return NULL;
     }
 
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 71a9af09ab..3c06a0ac6d 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -703,13 +703,13 @@ SDState *sd_init(BlockBackend *blk, bool is_spi)
     dev = DEVICE(obj);
     qdev_prop_set_drive(dev, "drive", blk, &err);
     if (err) {
-        error_report("sd_init failed: %s", error_get_pretty(err));
+        error_reportf_err(err, "sd_init failed: ");
         return NULL;
     }
     qdev_prop_set_bit(dev, "spi", is_spi);
     object_property_set_bool(obj, true, "realized", &err);
     if (err) {
-        error_report("sd_init failed: %s", error_get_pretty(err));
+        error_reportf_err(err, "sd_init failed: ");
         return NULL;
     }
 
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 20717f026b..168428156b 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -631,8 +631,9 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
         int64_t id = qemu_file_monitor_add_watch(s->file_monitor, o->path, NULL,
                                                  file_monitor_event, s, &err);
         if (id == -1) {
-            error_report("usb-mtp: failed to add watch for %s: %s", o->path,
-                         error_get_pretty(err));
+            error_reportf_err(err,
+                              "usb-mtp: failed to add watch for %s: ",
+                              o->path);
             error_free(err);
         } else {
             trace_usb_mtp_file_monitor_event(s->dev.addr, o->path,
@@ -1276,8 +1277,8 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 
         s->file_monitor = qemu_file_monitor_new(&err);
         if (err) {
-            error_report("usb-mtp: file monitoring init failed: %s",
-                         error_get_pretty(err));
+            error_reportf_err(err,
+                              "usb-mtp: file monitoring init failed: ");
             error_free(err);
         } else {
             QTAILQ_INIT(&s->events);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 306e44fb0a..d2657b8db5 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -856,8 +856,7 @@ int main(int argc, char **argv)
         }
         tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
         if (local_err) {
-            error_report("Failed to get TLS creds %s",
-                         error_get_pretty(local_err));
+            error_reportf_err(local_err, "Failed to get TLS creds: ");
             exit(EXIT_FAILURE);
         }
     } else {
@@ -983,8 +982,8 @@ int main(int argc, char **argv)
                                              &local_err);
             if (sioc == NULL) {
                 object_unref(OBJECT(server));
-                error_report("Failed to use socket activation: %s",
-                             error_get_pretty(local_err));
+                error_reportf_err(local_err,
+                                  "Failed to use socket activation: ");
                 exit(EXIT_FAILURE);
             }
             qio_net_listener_add(server, sioc);
diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
index 181ed4a186..57ad830d54 100644
--- a/scsi/qemu-pr-helper.c
+++ b/scsi/qemu-pr-helper.c
@@ -1030,8 +1030,8 @@ int main(int argc, char **argv)
         server_ioc = qio_channel_socket_new_fd(FIRST_SOCKET_ACTIVATION_FD,
                                                &local_err);
         if (server_ioc == NULL) {
-            error_report("Failed to use socket activation: %s",
-                         error_get_pretty(local_err));
+            error_reportf_err(local_err,
+                              "Failed to use socket activation: ");
             exit(EXIT_FAILURE);
         }
     }
-- 
2.17.1

[PATCH 39/77] usb/dev-mtp: Fix Error double free after inotify failure

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

error_report_err() frees its first argument.  Freeing it again is
wrong.  Don't.

Fixes: 47287c27d0c367a89f7b2851e23a7f8b2d499dd6
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel P. Berrangé <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200630090351.1247703-7-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 562a558647be6fe43e60f8bf3601e5b6122c0599)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/dev-mtp.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 168428156b..15a2243101 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -634,7 +634,6 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
             error_reportf_err(err,
                               "usb-mtp: failed to add watch for %s: ",
                               o->path);
-            error_free(err);
         } else {
             trace_usb_mtp_file_monitor_event(s->dev.addr, o->path,
                                              "Watch Added");
@@ -1279,7 +1278,6 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
         if (err) {
             error_reportf_err(err,
                               "usb-mtp: file monitoring init failed: ");
-            error_free(err);
         } else {
             QTAILQ_INIT(&s->events);
         }
-- 
2.17.1

[PATCH 40/77] nbd: Avoid off-by-one in long export name truncation

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

When snprintf returns the same value as the buffer size, the final
byte was truncated to ensure a NUL terminator.  Fortunately, such long
export names are unusual enough, with no real impact other than what
is displayed to the user.

Fixes: 5c86bdf12089
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200622210355.414941-1-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 00d69986da83a74f6f5731c80f8dd09fde95d19a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nbd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/nbd.c b/block/nbd.c
index bfc0be6af6..bf3fbebfa0 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -2011,7 +2011,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
         len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
                        "nbd://%s:%s", host, port);
     }
-    if (len > sizeof(bs->exact_filename)) {
+    if (len >= sizeof(bs->exact_filename)) {
         /* Name is too long to represent exactly, so leave it empty. */
         bs->exact_filename[0] = '\0';
     }
-- 
2.17.1

[PATCH 41/77] chardev/tcp: Fix error message double free error

[Michael Roth]

From: lichun <lichun@ruijie.com.cn>

Errors are already freed by error_report_err, so we only need to call
error_free when that function is not called.

Cc: qemu-stable@nongnu.org
Signed-off-by: lichun <lichun@ruijie.com.cn>
Message-Id: <20200621213017.17978-1-lichun@ruijie.com.cn>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Commit message improved, cc: qemu-stable]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit ed4e0d2ef140aef255d67eec30767e5fcd949f58)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 chardev/char-socket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index e5ee685f8c..58917870cd 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -142,6 +142,8 @@ static void check_report_connect_error(Chardev *chr,
                           "Unable to connect character device %s: ",
                           chr->label);
         s->connect_err_reported = true;
+    } else {
+        error_free(err);
     }
     qemu_chr_socket_restart_timer(chr);
 }
@@ -1083,7 +1085,6 @@ static void qemu_chr_socket_connected(QIOTask *task, void *opaque)
     if (qio_task_propagate_error(task, &err)) {
         tcp_chr_change_state(s, TCP_CHARDEV_STATE_DISCONNECTED);
         check_report_connect_error(chr, err);
-        error_free(err);
         goto cleanup;
     }
 
-- 
2.17.1

[PATCH 42/77] qga: fix assert regression on guest-shutdown

[Michael Roth]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Since commit 781f2b3d1e ("qga: process_event() simplification"),
send_response() is called unconditionally, but will assert when "rsp" is
NULL. This may happen with QCO_NO_SUCCESS_RESP commands, such as
"guest-shutdown".

Fixes: 781f2b3d1e5ef389b44016a897fd55e7a780bf35
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 844bd70b5652f30bbace89499f513e3fbbb6457a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qga/main.c b/qga/main.c
index f0e454f28d..3febf3b0fd 100644
--- a/qga/main.c
+++ b/qga/main.c
@@ -531,7 +531,11 @@ static int send_response(GAState *s, const QDict *rsp)
     QString *payload_qstr, *response_qstr;
     GIOStatus status;
 
-    g_assert(rsp && s->channel);
+    g_assert(s->channel);
+
+    if (!rsp) {
+        return 0;
+    }
 
     payload_qstr = qobject_to_json(QOBJECT(rsp));
     if (!payload_qstr) {
-- 
2.17.1

[PATCH 43/77] util: Introduce qemu_get_host_name()

[Michael Roth]

From: Michal Privoznik <mprivozn@redhat.com>

This function offers operating system agnostic way to fetch host
name. It is implemented for both POSIX-like and Windows systems.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit e47f4765afcab2b78dfa5b0115abf64d1d49a5d3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/qemu/osdep.h | 10 ++++++++++
 util/oslib-posix.c   | 35 +++++++++++++++++++++++++++++++++++
 util/oslib-win32.c   | 13 +++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 20f5c5f197..1866cab3c5 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -607,4 +607,14 @@ static inline void qemu_reset_optind(void)
 #endif
 }
 
+/**
+ * qemu_get_host_name:
+ * @errp: Error object
+ *
+ * Operating system agnostic way of querying host name.
+ *
+ * Returns allocated hostname (caller should free), NULL on failure.
+ */
+char *qemu_get_host_name(Error **errp);
+
 #endif
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index 062236a1ab..e58fbc8e00 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -752,3 +752,38 @@ void sigaction_invoke(struct sigaction *action,
     }
     action->sa_sigaction(info->ssi_signo, &si, NULL);
 }
+
+#ifndef HOST_NAME_MAX
+# ifdef _POSIX_HOST_NAME_MAX
+#  define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
+# else
+#  define HOST_NAME_MAX 255
+# endif
+#endif
+
+char *qemu_get_host_name(Error **errp)
+{
+    long len = -1;
+    g_autofree char *hostname = NULL;
+
+#ifdef _SC_HOST_NAME_MAX
+    len = sysconf(_SC_HOST_NAME_MAX);
+#endif /* _SC_HOST_NAME_MAX */
+
+    if (len < 0) {
+        len = HOST_NAME_MAX;
+    }
+
+    /* Unfortunately, gethostname() below does not guarantee a
+     * NULL terminated string. Therefore, allocate one byte more
+     * to be sure. */
+    hostname = g_new0(char, len + 1);
+
+    if (gethostname(hostname, len) < 0) {
+        error_setg_errno(errp, errno,
+                         "cannot get hostname");
+        return NULL;
+    }
+
+    return g_steal_pointer(&hostname);
+}
diff --git a/util/oslib-win32.c b/util/oslib-win32.c
index e9b14ab178..3b49d27297 100644
--- a/util/oslib-win32.c
+++ b/util/oslib-win32.c
@@ -808,3 +808,16 @@ bool qemu_write_pidfile(const char *filename, Error **errp)
     }
     return true;
 }
+
+char *qemu_get_host_name(Error **errp)
+{
+    wchar_t tmp[MAX_COMPUTERNAME_LENGTH + 1];
+    DWORD size = G_N_ELEMENTS(tmp);
+
+    if (GetComputerNameW(tmp, &size) == 0) {
+        error_setg_win32(errp, GetLastError(), "failed close handle");
+        return NULL;
+    }
+
+    return g_utf16_to_utf8(tmp, size, NULL, NULL, NULL);
+}
-- 
2.17.1

[PATCH 44/77] qga: Use qemu_get_host_name() instead of g_get_host_name()

[Michael Roth]

From: Michal Privoznik <mprivozn@redhat.com>

Problem with g_get_host_name() is that on the first call it saves
the hostname into a global variable and from then on, every
subsequent call returns the saved hostname. Even if the hostname
changes. This doesn't play nicely with guest agent, because if
the hostname is acquired before the guest is set up (e.g. on the
first boot, or before DHCP) we will report old, invalid hostname.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1845127

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 0d3a8f32b1e0eca279da1b0cc793efc7250c3daf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/qga/commands.c b/qga/commands.c
index efc8b90281..d3fec807c1 100644
--- a/qga/commands.c
+++ b/qga/commands.c
@@ -515,11 +515,20 @@ int ga_parse_whence(GuestFileWhence *whence, Error **errp)
 GuestHostName *qmp_guest_get_host_name(Error **errp)
 {
     GuestHostName *result = NULL;
-    gchar const *hostname = g_get_host_name();
-    if (hostname != NULL) {
-        result = g_new0(GuestHostName, 1);
-        result->host_name = g_strdup(hostname);
+    g_autofree char *hostname = qemu_get_host_name(errp);
+
+    /*
+     * We want to avoid using g_get_host_name() because that
+     * caches the result and we wouldn't reflect changes in the
+     * host name.
+     */
+
+    if (!hostname) {
+        hostname = g_strdup("localhost");
     }
+
+    result = g_new0(GuestHostName, 1);
+    result->host_name = g_steal_pointer(&hostname);
     return result;
 }
 
-- 
2.17.1

[PATCH 45/77] docs/orangepi: Add instructions for resizing SD image to power of two

[Michael Roth]

From: Niek Linnenbank <nieklinnenbank@gmail.com>

SD cards need to have a size of a power of two.
Update the Orange Pi machine documentation to include
instructions for resizing downloaded images using the
qemu-img command.

Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200712183708.15450-1-nieklinnenbank@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
(cherry picked from commit 1c2329b5d644bad16e888d095e2021ad682201d9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 docs/system/arm/orangepi.rst | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/orangepi.rst b/docs/system/arm/orangepi.rst
index c41adad488..6f23907fb6 100644
--- a/docs/system/arm/orangepi.rst
+++ b/docs/system/arm/orangepi.rst
@@ -127,6 +127,16 @@ can be downloaded from:
 Alternatively, you can also choose to build you own image with buildroot
 using the orangepi_pc_defconfig. Also see https://buildroot.org for more information.
 
+When using an image as an SD card, it must be resized to a power of two. This can be
+done with the qemu-img command. It is recommended to only increase the image size
+instead of shrinking it to a power of two, to avoid loss of data. For example,
+to prepare a downloaded Armbian image, first extract it and then increase
+its size to one gigabyte as follows:
+
+.. code-block:: bash
+
+  $ qemu-img resize Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.img 1G
+
 You can choose to attach the selected image either as an SD card or as USB mass storage.
 For example, to boot using the Orange Pi PC Debian image on SD card, simply add the -sd
 argument and provide the proper root= kernel parameter:
@@ -213,12 +223,12 @@ Next, unzip the NetBSD image and write the U-Boot binary including SPL using:
   $ dd if=/path/to/u-boot-sunxi-with-spl.bin of=armv7.img bs=1024 seek=8 conv=notrunc
 
 Finally, before starting the machine the SD image must be extended such
-that the NetBSD kernel will not conclude the NetBSD partition is larger than
-the emulated SD card:
+that the size of the SD image is a power of two and that the NetBSD kernel
+will not conclude the NetBSD partition is larger than the emulated SD card:
 
 .. code-block:: bash
 
-  $ dd if=/dev/zero bs=1M count=64 >> armv7.img
+  $ qemu-img resize armv7.img 2G
 
 Start the machine using the following command:
 
-- 
2.17.1

[PATCH 46/77] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Avocado tags are handy to automatically select tests matching
the tags. Since these tests use a SD card, tag them.

We can run all the tests using a SD card at once with:

  $ avocado --show=app run -t u-boot tests/acceptance/
  $ AVOCADO_ALLOW_LARGE_STORAGE=ok \
    avocado --show=app \
      run -t device:sd tests/acceptance/
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
   (1/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd: PASS (19.56 s)
   (2/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic: PASS (49.97 s)
   (3/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9: PASS (20.06 s)
  RESULTS    : PASS 3 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
  JOB TIME   : 90.02 s

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cleber Rosa <crosa@redhat.com>
Tested-by: Cleber Rosa <crosa@redhat.com>
Message-Id: <20200713183209.26308-4-f4bug@amsat.org>
(cherry picked from commit b7dcbf1395da960ec3c313300dc0030674de8cd1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/acceptance/boot_linux_console.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index f825cd9ef5..d864d22ca8 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -583,6 +583,7 @@ class BootLinuxConsole(Test):
         """
         :avocado: tags=arch:arm
         :avocado: tags=machine:orangepi-pc
+        :avocado: tags=device:sd
         """
         deb_url = ('https://apt.armbian.com/pool/main/l/'
                    'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
@@ -632,6 +633,7 @@ class BootLinuxConsole(Test):
         """
         :avocado: tags=arch:arm
         :avocado: tags=machine:orangepi-pc
+        :avocado: tags=device:sd
         """
 
         # This test download a 196MB compressed image and expand it to 932MB...
@@ -673,6 +675,7 @@ class BootLinuxConsole(Test):
         """
         :avocado: tags=arch:arm
         :avocado: tags=machine:orangepi-pc
+        :avocado: tags=device:sd
         """
         # This test download a 304MB compressed image and expand it to 1.3GB...
         deb_url = ('http://snapshot.debian.org/archive/debian/'
-- 
2.17.1

[PATCH 47/77] tests/acceptance: allow console interaction with specific VMs

[Michael Roth]

From: Pavel Dovgalyuk <Pavel.Dovgaluk@gmail.com>

Console interaction in avocado scripts was possible only with single
default VM.
This patch modifies the function parameters to allow passing a specific
VM as a parameter to interact with it.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <159073587933.20809.5122618715976660635.stgit@pasha-ThinkPad-X280>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit a5ba86d423c2b071894d86c60487f2317c7ffb60)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/acceptance/avocado_qemu/__init__.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tests/acceptance/avocado_qemu/__init__.py b/tests/acceptance/avocado_qemu/__init__.py
index 59e7b4f763..77d1c1d9ff 100644
--- a/tests/acceptance/avocado_qemu/__init__.py
+++ b/tests/acceptance/avocado_qemu/__init__.py
@@ -69,13 +69,15 @@ def pick_default_qemu_bin(arch=None):
 
 
 def _console_interaction(test, success_message, failure_message,
-                         send_string, keep_sending=False):
+                         send_string, keep_sending=False, vm=None):
     assert not keep_sending or send_string
-    console = test.vm.console_socket.makefile()
+    if vm is None:
+        vm = test.vm
+    console = vm.console_socket.makefile()
     console_logger = logging.getLogger('console')
     while True:
         if send_string:
-            test.vm.console_socket.sendall(send_string.encode())
+            vm.console_socket.sendall(send_string.encode())
             if not keep_sending:
                 send_string = None # send only once
         msg = console.readline().strip()
@@ -115,7 +117,8 @@ def interrupt_interactive_console_until_pattern(test, success_message,
     _console_interaction(test, success_message, failure_message,
                          interrupt_string, True)
 
-def wait_for_console_pattern(test, success_message, failure_message=None):
+def wait_for_console_pattern(test, success_message, failure_message=None,
+                             vm=None):
     """
     Waits for messages to appear on the console, while logging the content
 
@@ -125,7 +128,7 @@ def wait_for_console_pattern(test, success_message, failure_message=None):
     :param success_message: if this message appears, test succeeds
     :param failure_message: if this message appears, test fails
     """
-    _console_interaction(test, success_message, failure_message, None)
+    _console_interaction(test, success_message, failure_message, None, vm=vm)
 
 def exec_command_and_wait_for_pattern(test, command,
                                       success_message, failure_message=None):
-- 
2.17.1

[PATCH 48/77] tests/acceptance: refactor boot_linux to allow code reuse

[Michael Roth]

From: Pavel Dovgalyuk <Pavel.Dovgaluk@gmail.com>

This patch moves image downloading functions to the separate class to allow
reusing them from record/replay tests.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <159073593167.20809.17582679291556188984.stgit@pasha-ThinkPad-X280>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit 1c80c87c8c2489e4318c93c844aa29bc1d014146)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/acceptance/boot_linux.py | 49 ++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/tests/acceptance/boot_linux.py b/tests/acceptance/boot_linux.py
index 075a386300..3aa57e88b0 100644
--- a/tests/acceptance/boot_linux.py
+++ b/tests/acceptance/boot_linux.py
@@ -26,22 +26,8 @@ KVM_NOT_AVAILABLE = ACCEL_NOT_AVAILABLE_FMT % "KVM"
 TCG_NOT_AVAILABLE = ACCEL_NOT_AVAILABLE_FMT % "TCG"
 
 
-class BootLinux(Test):
-    """
-    Boots a Linux system, checking for a successful initialization
-    """
-
-    timeout = 900
-    chksum = None
-
-    def setUp(self):
-        super(BootLinux, self).setUp()
-        self.vm.add_args('-smp', '2')
-        self.vm.add_args('-m', '1024')
-        self.prepare_boot()
-        self.prepare_cloudinit()
-
-    def prepare_boot(self):
+class BootLinuxBase(Test):
+    def download_boot(self):
         self.log.debug('Looking for and selecting a qemu-img binary to be '
                        'used to create the bootable snapshot image')
         # If qemu-img has been built, use it, otherwise the system wide one
@@ -60,17 +46,17 @@ class BootLinux(Test):
         if image_arch == 'ppc64':
             image_arch = 'ppc64le'
         try:
-            self.boot = vmimage.get(
+            boot = vmimage.get(
                 'fedora', arch=image_arch, version='31',
                 checksum=self.chksum,
                 algorithm='sha256',
                 cache_dir=self.cache_dirs[0],
                 snapshot_dir=self.workdir)
-            self.vm.add_args('-drive', 'file=%s' % self.boot.path)
         except:
             self.cancel('Failed to download/prepare boot image')
+        return boot.path
 
-    def prepare_cloudinit(self):
+    def download_cloudinit(self):
         self.log.info('Preparing cloudinit image')
         try:
             cloudinit_iso = os.path.join(self.workdir, 'cloudinit.iso')
@@ -81,9 +67,32 @@ class BootLinux(Test):
                           # QEMU's hard coded usermode router address
                           phone_home_host='10.0.2.2',
                           phone_home_port=self.phone_home_port)
-            self.vm.add_args('-drive', 'file=%s,format=raw' % cloudinit_iso)
         except Exception:
             self.cancel('Failed to prepared cloudinit image')
+        return cloudinit_iso
+
+class BootLinux(BootLinuxBase):
+    """
+    Boots a Linux system, checking for a successful initialization
+    """
+
+    timeout = 900
+    chksum = None
+
+    def setUp(self):
+        super(BootLinux, self).setUp()
+        self.vm.add_args('-smp', '2')
+        self.vm.add_args('-m', '1024')
+        self.prepare_boot()
+        self.prepare_cloudinit()
+
+    def prepare_boot(self):
+        path = self.download_boot()
+        self.vm.add_args('-drive', 'file=%s' % path)
+
+    def prepare_cloudinit(self):
+        cloudinit_iso = self.download_cloudinit()
+        self.vm.add_args('-drive', 'file=%s,format=raw' % cloudinit_iso)
 
     def launch_and_wait(self):
         self.vm.set_console()
-- 
2.17.1

[PATCH 49/77] tests/acceptance: refactor boot_linux_console test to allow code reuse

[Michael Roth]

From: Pavel Dovgalyuk <Pavel.Dovgaluk@gmail.com>

This patch splits code in BootLinuxConsole class into two different
classes to allow reusing it by record/replay tests.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <159073588490.20809.13942096070255577558.stgit@pasha-ThinkPad-X280>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit 12121c496fcc609e23033c4a36399b54f98bcd56)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/acceptance/boot_linux_console.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index d864d22ca8..e4204d8f09 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -28,19 +28,13 @@ try:
 except CmdNotFoundError:
     P7ZIP_AVAILABLE = False
 
-class BootLinuxConsole(Test):
-    """
-    Boots a Linux kernel and checks that the console is operational and the
-    kernel command line is properly passed from QEMU to the kernel
-    """
-
-    timeout = 90
-
+class LinuxKernelTest(Test):
     KERNEL_COMMON_COMMAND_LINE = 'printk.time=0 '
 
-    def wait_for_console_pattern(self, success_message):
+    def wait_for_console_pattern(self, success_message, vm=None):
         wait_for_console_pattern(self, success_message,
-                                 failure_message='Kernel panic - not syncing')
+                                 failure_message='Kernel panic - not syncing',
+                                 vm=vm)
 
     def extract_from_deb(self, deb, path):
         """
@@ -79,6 +73,13 @@ class BootLinuxConsole(Test):
         os.chdir(cwd)
         return os.path.normpath(os.path.join(self.workdir, path))
 
+class BootLinuxConsole(LinuxKernelTest):
+    """
+    Boots a Linux kernel and checks that the console is operational and the
+    kernel command line is properly passed from QEMU to the kernel
+    """
+    timeout = 90
+
     def test_x86_64_pc(self):
         """
         :avocado: tags=arch:x86_64
-- 
2.17.1

[PATCH 50/77] tests/acceptance/boot_linux: Expand SD card image to power of 2

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

In few commits we won't allow SD card images with invalid size
(not aligned to a power of 2). Prepare the tests: add the
pow2ceil() and image_pow2ceil_expand() methods and resize the
images (expanding) of the tests using SD cards.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cleber Rosa <crosa@redhat.com>
Message-Id: <20200713183209.26308-5-f4bug@amsat.org>
(cherry picked from commit 6a289a5ba3383e17fb47029720425bef42e424d7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/acceptance/boot_linux_console.py | 31 ++++++++++++++++++--------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index e4204d8f09..db901c1348 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -28,6 +28,22 @@ try:
 except CmdNotFoundError:
     P7ZIP_AVAILABLE = False
 
+"""
+Round up to next power of 2
+"""
+def pow2ceil(x):
+    return 1 if x == 0 else 2**(x - 1).bit_length()
+
+"""
+Expand file size to next power of 2
+"""
+def image_pow2ceil_expand(path):
+        size = os.path.getsize(path)
+        size_aligned = pow2ceil(size)
+        if size != size_aligned:
+            with open(path, 'ab+') as fd:
+                fd.truncate(size_aligned)
+
 class LinuxKernelTest(Test):
     KERNEL_COMMON_COMMAND_LINE = 'printk.time=0 '
 
@@ -600,6 +616,7 @@ class BootLinuxConsole(LinuxKernelTest):
         rootfs_path_xz = self.fetch_asset(rootfs_url, asset_hash=rootfs_hash)
         rootfs_path = os.path.join(self.workdir, 'rootfs.cpio')
         archive.lzma_uncompress(rootfs_path_xz, rootfs_path)
+        image_pow2ceil_expand(rootfs_path)
 
         self.vm.set_console()
         kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
@@ -637,7 +654,7 @@ class BootLinuxConsole(LinuxKernelTest):
         :avocado: tags=device:sd
         """
 
-        # This test download a 196MB compressed image and expand it to 932MB...
+        # This test download a 196MB compressed image and expand it to 1GB
         image_url = ('https://dl.armbian.com/orangepipc/archive/'
                      'Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.7z')
         image_hash = '196a8ffb72b0123d92cea4a070894813d305c71e'
@@ -645,6 +662,7 @@ class BootLinuxConsole(LinuxKernelTest):
         image_name = 'Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.img'
         image_path = os.path.join(self.workdir, image_name)
         process.run("7z e -o%s %s" % (self.workdir, image_path_7z))
+        image_pow2ceil_expand(image_path)
 
         self.vm.set_console()
         self.vm.add_args('-drive', 'file=' + image_path + ',if=sd,format=raw',
@@ -678,7 +696,7 @@ class BootLinuxConsole(LinuxKernelTest):
         :avocado: tags=machine:orangepi-pc
         :avocado: tags=device:sd
         """
-        # This test download a 304MB compressed image and expand it to 1.3GB...
+        # This test download a 304MB compressed image and expand it to 2GB
         deb_url = ('http://snapshot.debian.org/archive/debian/'
                    '20200108T145233Z/pool/main/u/u-boot/'
                    'u-boot-sunxi_2020.01%2Bdfsg-1_armhf.deb')
@@ -695,8 +713,9 @@ class BootLinuxConsole(LinuxKernelTest):
         image_hash = '2babb29d36d8360adcb39c09e31060945259917a'
         image_path_gz = self.fetch_asset(image_url, asset_hash=image_hash)
         image_path = os.path.join(self.workdir, 'armv7.img')
-        image_drive_args = 'if=sd,format=raw,snapshot=on,file=' + image_path
         archive.gzip_uncompress(image_path_gz, image_path)
+        image_pow2ceil_expand(image_path)
+        image_drive_args = 'if=sd,format=raw,snapshot=on,file=' + image_path
 
         # dd if=u-boot-sunxi-with-spl.bin of=armv7.img bs=1K seek=8 conv=notrunc
         with open(uboot_path, 'rb') as f_in:
@@ -704,12 +723,6 @@ class BootLinuxConsole(LinuxKernelTest):
                 f_out.seek(8 * 1024)
                 shutil.copyfileobj(f_in, f_out)
 
-                # Extend image, to avoid that NetBSD thinks the partition
-                # inside the image is larger than device size itself
-                f_out.seek(0, 2)
-                f_out.seek(64 * 1024 * 1024, 1)
-                f_out.write(bytearray([0x00]))
-
         self.vm.set_console()
         self.vm.add_args('-nic', 'user',
                          '-drive', image_drive_args,
-- 
2.17.1

[PATCH 51/77] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Only SCSD cards support Class 6 (Block Oriented Write Protection)
commands.

  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"

  4.3.14 Command Functional Difference in Card Capacity Types

  * Write Protected Group

  SDHC and SDXC do not support write-protected groups. Issuing
  CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
(cherry picked from commit 9157dd597d293ab7f599f4d96c3fe8a6e07c633d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sd.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 3c06a0ac6d..da39590f58 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -905,6 +905,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         sd->multi_blk_cnt = 0;
     }
 
+    if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
+        /* Only Standard Capacity cards support class 6 commands */
+        return sd_illegal;
+    }
+
     switch (req.cmd) {
     /* Basic commands (Class 0 and Class 1) */
     case 0:	/* CMD0:   GO_IDLE_STATE */
-- 
2.17.1

[PATCH 52/77] hw/sd/sdcard: Simplify realize() a bit

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

We don't need to check if sd->blk is set twice.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
(cherry picked from commit 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sd.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index da39590f58..04258f1816 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -2090,12 +2090,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
         return;
     }
 
-    if (sd->blk && blk_is_read_only(sd->blk)) {
-        error_setg(errp, "Cannot use read-only drive as SD card");
-        return;
-    }
-
     if (sd->blk) {
+        if (blk_is_read_only(sd->blk)) {
+            error_setg(errp, "Cannot use read-only drive as SD card");
+            return;
+        }
+
         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
                            BLK_PERM_ALL, errp);
         if (ret < 0) {
-- 
2.17.1

[PATCH 53/77] hw/sd/sdcard: Do not allow invalid SD card sizes

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.

While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.

In a pair of commits we will fix CVE-2020-13253 as:

    Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
    occurred and no data transfer is performed.

    Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
    occurred and no data transfer is performed.

    WP_VIOLATION errors are not modified: the error bit is set, we
    stay in receive-data state, wait for a stop command. All further
    data transfer is ignored. See the check on sd->card_status at the
    beginning of sd_read_data() and sd_write_data().

While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.

Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):

  $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
  qemu-system-arm: Invalid SD card size: 60 MiB
  SD card size has to be a power of 2, e.g. 64 MiB.
  You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
  (note that this will lose data if you make the image smaller than it currently is).

Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
(cherry picked from commit a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sd.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 04258f1816..c34435ede4 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -32,6 +32,7 @@
 
 #include "qemu/osdep.h"
 #include "qemu/units.h"
+#include "qemu/cutils.h"
 #include "hw/irq.h"
 #include "hw/registerfields.h"
 #include "sysemu/block-backend.h"
@@ -2091,11 +2092,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
     }
 
     if (sd->blk) {
+        int64_t blk_size;
+
         if (blk_is_read_only(sd->blk)) {
             error_setg(errp, "Cannot use read-only drive as SD card");
             return;
         }
 
+        blk_size = blk_getlength(sd->blk);
+        if (blk_size > 0 && !is_power_of_2(blk_size)) {
+            int64_t blk_size_aligned = pow2ceil(blk_size);
+            char *blk_size_str;
+
+            blk_size_str = size_to_str(blk_size);
+            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
+            g_free(blk_size_str);
+
+            blk_size_str = size_to_str(blk_size_aligned);
+            error_append_hint(errp,
+                              "SD card size has to be a power of 2, e.g. %s.\n"
+                              "You can resize disk images with"
+                              " 'qemu-img resize <imagefile> <new-size>'\n"
+                              "(note that this will lose data if you make the"
+                              " image smaller than it currently is).\n",
+                              blk_size_str);
+            g_free(blk_size_str);
+
+            return;
+        }
+
         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
                            BLK_PERM_ALL, errp);
         if (ret < 0) {
-- 
2.17.1

[PATCH 54/77] hw/sd/sdcard: Update coding style to make checkpatch.pl happy

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

To make the next commit easier to review, clean this code first.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
(cherry picked from commit 794d68de2f021a6d3874df41d6bbe8590ec05207)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sd.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index c34435ede4..b927f7966d 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1160,8 +1160,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             sd->data_start = addr;
             sd->data_offset = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size)
+            if (sd->data_start + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
+            }
             return sd_r1;
 
         default:
@@ -1176,8 +1177,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             sd->data_start = addr;
             sd->data_offset = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size)
+            if (sd->data_start + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
+            }
             return sd_r1;
 
         default:
@@ -1222,12 +1224,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             sd->data_offset = 0;
             sd->blk_written = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size)
+            if (sd->data_start + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
-            if (sd_wp_addr(sd, sd->data_start))
+            }
+            if (sd_wp_addr(sd, sd->data_start)) {
                 sd->card_status |= WP_VIOLATION;
-            if (sd->csd[14] & 0x30)
+            }
+            if (sd->csd[14] & 0x30) {
                 sd->card_status |= WP_VIOLATION;
+            }
             return sd_r1;
 
         default:
@@ -1246,12 +1251,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             sd->data_offset = 0;
             sd->blk_written = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size)
+            if (sd->data_start + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
-            if (sd_wp_addr(sd, sd->data_start))
+            }
+            if (sd_wp_addr(sd, sd->data_start)) {
                 sd->card_status |= WP_VIOLATION;
-            if (sd->csd[14] & 0x30)
+            }
+            if (sd->csd[14] & 0x30) {
                 sd->card_status |= WP_VIOLATION;
+            }
             return sd_r1;
 
         default:
-- 
2.17.1

[PATCH 55/77] hw/sd/sdcard: Do not switch to ReceivingData if address is invalid

[Michael Roth]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.

  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"

  4.3.3 Data Read

  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

  4.3.4 Data Write

  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
  occurred and no data transfer is performed.

WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().

Fixes: CVE-2020-13253
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
(cherry picked from commit 790762e5487114341cccc5bffcec4cb3c022c3cd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index b927f7966d..837fe9053d 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1156,13 +1156,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
         switch (sd->state) {
         case sd_transfer_state:
-            sd->state = sd_sendingdata_state;
-            sd->data_start = addr;
-            sd->data_offset = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size) {
+            if (addr + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
             }
+
+            sd->state = sd_sendingdata_state;
+            sd->data_start = addr;
+            sd->data_offset = 0;
             return sd_r1;
 
         default:
@@ -1173,13 +1175,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
         switch (sd->state) {
         case sd_transfer_state:
-            sd->state = sd_sendingdata_state;
-            sd->data_start = addr;
-            sd->data_offset = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size) {
+            if (addr + sd->blk_len > sd->size) {
                 sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
             }
+
+            sd->state = sd_sendingdata_state;
+            sd->data_start = addr;
+            sd->data_offset = 0;
             return sd_r1;
 
         default:
@@ -1219,14 +1223,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             /* Writing in SPI mode not implemented.  */
             if (sd->spi)
                 break;
+
+            if (addr + sd->blk_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+            }
+
             sd->state = sd_receivingdata_state;
             sd->data_start = addr;
             sd->data_offset = 0;
             sd->blk_written = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
-            }
             if (sd_wp_addr(sd, sd->data_start)) {
                 sd->card_status |= WP_VIOLATION;
             }
@@ -1246,14 +1253,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
             /* Writing in SPI mode not implemented.  */
             if (sd->spi)
                 break;
+
+            if (addr + sd->blk_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+            }
+
             sd->state = sd_receivingdata_state;
             sd->data_start = addr;
             sd->data_offset = 0;
             sd->blk_written = 0;
 
-            if (sd->data_start + sd->blk_len > sd->size) {
-                sd->card_status |= ADDRESS_ERROR;
-            }
             if (sd_wp_addr(sd, sd->data_start)) {
                 sd->card_status |= WP_VIOLATION;
             }
-- 
2.17.1

[PATCH 56/77] target/hppa: Free some temps in do_sub

[Michael Roth]

From: Richard Henderson <richard.henderson@linaro.org>

Two temps allocated but not freed.  Do enough subtractions
within a single TB and one can run out of temps entirely.

Fixes: b2167459ae ("target-hppa: Implement basic arithmetic")
Buglink: https://bugs.launchpad.net/qemu/+bug/1880287
Tested-by: Sven Schnelle <svens@stackframe.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20200720174039.517902-1-richard.henderson@linaro.org>
(cherry picked from commit 79826f99feb7222b7804058f0b4ace9ee0546361)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target/hppa/translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index 52d7bea1ea..4bd22d4820 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -1294,6 +1294,8 @@ static void do_sub(DisasContext *ctx, unsigned rt, TCGv_reg in1,
     save_or_nullify(ctx, cpu_psw_cb_msb, cb_msb);
     save_gpr(ctx, rt, dest);
     tcg_temp_free(dest);
+    tcg_temp_free(cb);
+    tcg_temp_free(cb_msb);
 
     /* Install the new nullification.  */
     cond_free(&ctx->null_cond);
-- 
2.17.1

[PATCH 57/77] tpm: tpm_spapr: Exit on TPM backend failures

[Michael Roth]

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

Exit on TPM backend failures in the same way as the TPM CRB and TIS device
models do. With this change we now get an error report when the backend
did not start up properly:

error: internal error: qemu unexpectedly closed the monitor:
2020-07-07T12:49:28.333928Z qemu-system-ppc64: tpm-emulator: \
  TPM result for CMD_INIT: 0x101 operation failed

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20200707201625.4177419-2-stefanb@linux.vnet.ibm.com
(cherry picked from commit f8b332a1ff107dc014a52eaf9bf547995205f18a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/tpm/tpm_spapr.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/tpm/tpm_spapr.c b/hw/tpm/tpm_spapr.c
index ce65eb2e45..b67aafb24e 100644
--- a/hw/tpm/tpm_spapr.c
+++ b/hw/tpm/tpm_spapr.c
@@ -306,7 +306,10 @@ static void tpm_spapr_reset(SpaprVioDevice *dev)
                             TPM_SPAPR_BUFFER_MAX);
 
     tpm_backend_reset(s->be_driver);
-    tpm_spapr_do_startup_tpm(s, s->be_buffer_size);
+
+    if (tpm_spapr_do_startup_tpm(s, s->be_buffer_size) < 0) {
+        exit(1);
+    }
 }
 
 static enum TPMVersion tpm_spapr_get_version(TPMIf *ti)
-- 
2.17.1

[PATCH 58/77] tests: tpm: Skip over pcrUpdateCounter byte in result comparison

[Michael Roth]

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

The TPM 2 code in libtpms was fixed to handle the PCR 'TCB group' according
to the PCClient profile. The change of the PCRs belonging to the 'TCB group'
now affects the pcrUpdateCounter in the TPM2_PCRRead() responses where its
value is now different (typically lower by '1') than what it was before. To
not fail the tests, we skip the comparison of the 14th byte, which
represents the pcrUpdateCounter.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20200707201625.4177419-3-stefanb@linux.vnet.ibm.com
(cherry picked from commit df8a7568932e4c3c930fdfeb228dd72b4bb71a1f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qtest/tpm-util.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/tpm-util.c b/tests/qtest/tpm-util.c
index 34efae8f18..58a9593745 100644
--- a/tests/qtest/tpm-util.c
+++ b/tests/qtest/tpm-util.c
@@ -139,7 +139,11 @@ void tpm_util_pcrread(QTestState *s, tx_func *tx,
 
     tx(s, tpm_pcrread, sizeof(tpm_pcrread), buffer, sizeof(buffer));
 
-    g_assert_cmpmem(buffer, exp_resp_size, exp_resp, exp_resp_size);
+    /* skip pcrUpdateCounter (14th byte) in comparison */
+    g_assert(exp_resp_size >= 15);
+    g_assert_cmpmem(buffer, 13, exp_resp, 13);
+    g_assert_cmpmem(&buffer[14], exp_resp_size - 14,
+                    &exp_resp[14], exp_resp_size - 14);
 }
 
 bool tpm_util_swtpm_has_tpm2(void)
-- 
2.17.1

[PATCH 59/77] qdev: Fix device_add DRIVER,help to print to monitor

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Help on device properties gets printed to stdout instead of the
monitor.  If you have the monitor anywhere else, no help for you.
Broken when commit e1043d674d "qdev: use object_property_help()"
accidentally switched from qemu_printf() to printf().  Switch right
back.

Fixes: e1043d674d792ff64aebae1a3eafc08b38a8a085
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200714160202.3121879-2-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 029afc4e76041e1a320530d97f99122a1b3d5da2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qdev-monitor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qdev-monitor.c b/qdev-monitor.c
index 9833b33549..6bf6339ff5 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -299,7 +299,7 @@ int qdev_device_help(QemuOpts *opts)
     }
     g_ptr_array_sort(array, (GCompareFunc)qemu_pstrcmp0);
     for (i = 0; i < array->len; i++) {
-        printf("%s\n", (char *)array->pdata[i]);
+        qemu_printf("%s\n", (char *)array->pdata[i]);
     }
     g_ptr_array_set_free_func(array, g_free);
     g_ptr_array_free(array, true);
-- 
2.17.1

[PATCH 60/77] virtio-balloon: Prevent guest from starting a report when we didn't request one

[Michael Roth]

From: Alexander Duyck <alexander.h.duyck@linux.intel.com>

Based on code review it appears possible for the driver to force the device
out of a stopped state when hinting by repeating the last ID it was
provided.

Prevent this by only allowing a transition to the start state when we are
in the requested state. This way the driver is only allowed to send one
descriptor that will transition the device into the start state. All others
will leave it in the stop state once it has finished.

Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 20a4da0f23078deeff5ea6d1e12f47d968d7c3c9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index e20f90dad4..a30a0c7bfa 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -466,7 +466,8 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
             ret = false;
             goto out;
         }
-        if (id == dev->free_page_report_cmd_id) {
+        if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
+            id == dev->free_page_report_cmd_id) {
             dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
         } else {
             /*
-- 
2.17.1

[PATCH 61/77] virtio-balloon: Add locking to prevent possible race when starting hinting

[Michael Roth]

From: Alexander Duyck <alexander.h.duyck@linux.intel.com>

There is already locking in place when we are stopping free page hinting
but there is not similar protections in place when we start. I can only
assume this was overlooked as in most cases the page hinting should not be
occurring when we are starting the hinting, however there is still a chance
we could be processing hints by the time we get back around to restarting
the hinting so we are better off making sure to protect the state with the
mutex lock rather than just updating the value with no protections.

Based on feedback from Peter Maydell this issue had also been spotted by
Coverity: CID 1430269

Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Message-Id: <20200720175122.21935.78013.stgit@localhost.localdomain>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 1a83e0b9c492a0eaeacd6fbb858fc81d04ab9c3e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index a30a0c7bfa..d6e31de1d9 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -532,6 +532,8 @@ static void virtio_balloon_free_page_start(VirtIOBalloon *s)
         return;
     }
 
+    qemu_mutex_lock(&s->free_page_lock);
+
     if (s->free_page_report_cmd_id == UINT_MAX) {
         s->free_page_report_cmd_id =
                        VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
@@ -540,6 +542,8 @@ static void virtio_balloon_free_page_start(VirtIOBalloon *s)
     }
 
     s->free_page_report_status = FREE_PAGE_REPORT_S_REQUESTED;
+    qemu_mutex_unlock(&s->free_page_lock);
+
     virtio_notify_config(vdev);
 }
 
-- 
2.17.1

[PATCH 62/77] virtio-balloon: always indicate S_DONE when migration fails

[Michael Roth]

From: David Hildenbrand <david@redhat.com>

If something goes wrong during precopy, before stopping the VM, we will
never send a S_DONE indication to the VM, resulting in the hinted pages
not getting released to be used by the guest OS (e.g., Linux).

Easy to reproduce:
1. Start migration (e.g., HMP "migrate -d 'exec:gzip -c > STATEFILE.gz'")
2. Cancel migration (e.g., HMP "migrate_cancel")
3. Oberve in the guest (e.g., cat /proc/meminfo) that there is basically
   no free memory left.

While at it, add similar locking to virtio_balloon_free_page_done() as
done in virtio_balloon_free_page_stop. Locking is still weird, but that
has to be sorted out separately.

There is nothing to do in the PRECOPY_NOTIFY_COMPLETE case. Add some
comments regarding S_DONE handling.

Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Cc: Wei Wang <wei.w.wang@intel.com>
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200629080615.26022-1-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit dd8eeb9671fc881e613008bd20035b85fe45383d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index d6e31de1d9..6c75db123e 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -572,8 +572,13 @@ static void virtio_balloon_free_page_done(VirtIOBalloon *s)
 {
     VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-    s->free_page_report_status = FREE_PAGE_REPORT_S_DONE;
-    virtio_notify_config(vdev);
+    if (s->free_page_report_status != FREE_PAGE_REPORT_S_DONE) {
+        /* See virtio_balloon_free_page_stop() */
+        qemu_mutex_lock(&s->free_page_lock);
+        s->free_page_report_status = FREE_PAGE_REPORT_S_DONE;
+        qemu_mutex_unlock(&s->free_page_lock);
+        virtio_notify_config(vdev);
+    }
 }
 
 static int
@@ -597,17 +602,26 @@ virtio_balloon_free_page_report_notify(NotifierWithReturn *n, void *data)
     case PRECOPY_NOTIFY_SETUP:
         precopy_enable_free_page_optimization();
         break;
-    case PRECOPY_NOTIFY_COMPLETE:
-    case PRECOPY_NOTIFY_CLEANUP:
     case PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC:
         virtio_balloon_free_page_stop(dev);
         break;
     case PRECOPY_NOTIFY_AFTER_BITMAP_SYNC:
         if (vdev->vm_running) {
             virtio_balloon_free_page_start(dev);
-        } else {
-            virtio_balloon_free_page_done(dev);
+            break;
         }
+        /*
+         * Set S_DONE before migrating the vmstate, so the guest will reuse
+         * all hinted pages once running on the destination. Fall through.
+         */
+    case PRECOPY_NOTIFY_CLEANUP:
+        /*
+         * Especially, if something goes wrong during precopy or if migration
+         * is canceled, we have to properly communicate S_DONE to the VM.
+         */
+        virtio_balloon_free_page_done(dev);
+        break;
+    case PRECOPY_NOTIFY_COMPLETE:
         break;
     default:
         virtio_error(vdev, "%s: %d reason unknown", __func__, pnd->reason);
-- 
2.17.1

[PATCH 63/77] linux-headers: update against Linux 5.7-rc3

[Michael Roth]

From: Cornelia Huck <cohuck@redhat.com>

commit 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c

Reviewed-by: Michael S. Tsirkin <mst@redhat.com> # virtio/vhost parts
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20200427102415.10915-3-cohuck@redhat.com>
(cherry picked from commit dc6f8d458a4ccc360723993f31d310d06469f55f)
*dep for 3219b42f02
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/standard-headers/linux/ethtool.h      |  10 +-
 .../linux/input-event-codes.h                 |   5 +-
 include/standard-headers/linux/pci_regs.h     |   2 +
 include/standard-headers/linux/vhost_types.h  |   8 ++
 .../standard-headers/linux/virtio_balloon.h   |  12 ++-
 include/standard-headers/linux/virtio_ids.h   |   1 +
 include/standard-headers/linux/virtio_net.h   | 102 +++++++++++++++++-
 linux-headers/COPYING                         |   2 +
 linux-headers/asm-x86/kvm.h                   |   1 +
 linux-headers/asm-x86/unistd_32.h             |   1 +
 linux-headers/asm-x86/unistd_64.h             |   1 +
 linux-headers/asm-x86/unistd_x32.h            |   1 +
 linux-headers/linux/kvm.h                     |  47 +++++++-
 linux-headers/linux/mman.h                    |   5 +-
 linux-headers/linux/userfaultfd.h             |  40 +++++--
 linux-headers/linux/vfio.h                    |  37 +++++++
 linux-headers/linux/vhost.h                   |  24 +++++
 17 files changed, 280 insertions(+), 19 deletions(-)

diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
index 8adf3b018b..1200890c86 100644
--- a/include/standard-headers/linux/ethtool.h
+++ b/include/standard-headers/linux/ethtool.h
@@ -596,6 +596,9 @@ struct ethtool_pauseparam {
  * @ETH_SS_LINK_MODES: link mode names
  * @ETH_SS_MSG_CLASSES: debug message class names
  * @ETH_SS_WOL_MODES: wake-on-lan modes
+ * @ETH_SS_SOF_TIMESTAMPING: SOF_TIMESTAMPING_* flags
+ * @ETH_SS_TS_TX_TYPES: timestamping Tx types
+ * @ETH_SS_TS_RX_FILTERS: timestamping Rx filters
  */
 enum ethtool_stringset {
 	ETH_SS_TEST		= 0,
@@ -610,6 +613,9 @@ enum ethtool_stringset {
 	ETH_SS_LINK_MODES,
 	ETH_SS_MSG_CLASSES,
 	ETH_SS_WOL_MODES,
+	ETH_SS_SOF_TIMESTAMPING,
+	ETH_SS_TS_TX_TYPES,
+	ETH_SS_TS_RX_FILTERS,
 
 	/* add new constants above here */
 	ETH_SS_COUNT
@@ -1330,6 +1336,7 @@ enum ethtool_fec_config_bits {
 	ETHTOOL_FEC_OFF_BIT,
 	ETHTOOL_FEC_RS_BIT,
 	ETHTOOL_FEC_BASER_BIT,
+	ETHTOOL_FEC_LLRS_BIT,
 };
 
 #define ETHTOOL_FEC_NONE		(1 << ETHTOOL_FEC_NONE_BIT)
@@ -1337,6 +1344,7 @@ enum ethtool_fec_config_bits {
 #define ETHTOOL_FEC_OFF			(1 << ETHTOOL_FEC_OFF_BIT)
 #define ETHTOOL_FEC_RS			(1 << ETHTOOL_FEC_RS_BIT)
 #define ETHTOOL_FEC_BASER		(1 << ETHTOOL_FEC_BASER_BIT)
+#define ETHTOOL_FEC_LLRS		(1 << ETHTOOL_FEC_LLRS_BIT)
 
 /* CMDs currently supported */
 #define ETHTOOL_GSET		0x00000001 /* DEPRECATED, Get settings.
@@ -1521,7 +1529,7 @@ enum ethtool_link_mode_bit_indices {
 	ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT = 71,
 	ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT	 = 72,
 	ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT	 = 73,
-
+	ETHTOOL_LINK_MODE_FEC_LLRS_BIT			 = 74,
 	/* must be last entry */
 	__ETHTOOL_LINK_MODE_MASK_NBITS
 };
diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
index b484c25289..ebf72c1031 100644
--- a/include/standard-headers/linux/input-event-codes.h
+++ b/include/standard-headers/linux/input-event-codes.h
@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
 /*
  * Input event codes
  *
@@ -652,6 +652,9 @@
 /* Electronic privacy screen control */
 #define KEY_PRIVACY_SCREEN_TOGGLE	0x279
 
+/* Select an area of screen to be copied */
+#define KEY_SELECTIVE_SCREENSHOT	0x27a
+
 /*
  * Some keyboards have keys which do not have a defined meaning, these keys
  * are intended to be programmed / bound to macros by the user. For most
diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
index 5437690483..f9701410d3 100644
--- a/include/standard-headers/linux/pci_regs.h
+++ b/include/standard-headers/linux/pci_regs.h
@@ -605,6 +605,7 @@
 #define  PCI_EXP_SLTCTL_PWR_OFF        0x0400 /* Power Off */
 #define  PCI_EXP_SLTCTL_EIC	0x0800	/* Electromechanical Interlock Control */
 #define  PCI_EXP_SLTCTL_DLLSCE	0x1000	/* Data Link Layer State Changed Enable */
+#define  PCI_EXP_SLTCTL_IBPD_DISABLE	0x4000 /* In-band PD disable */
 #define PCI_EXP_SLTSTA		26	/* Slot Status */
 #define  PCI_EXP_SLTSTA_ABP	0x0001	/* Attention Button Pressed */
 #define  PCI_EXP_SLTSTA_PFD	0x0002	/* Power Fault Detected */
@@ -680,6 +681,7 @@
 #define PCI_EXP_LNKSTA2		50	/* Link Status 2 */
 #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2	52	/* v2 endpoints with link end here */
 #define PCI_EXP_SLTCAP2		52	/* Slot Capabilities 2 */
+#define  PCI_EXP_SLTCAP2_IBPD	0x00000001 /* In-band PD Disable Supported */
 #define PCI_EXP_SLTCTL2		56	/* Slot Control 2 */
 #define PCI_EXP_SLTSTA2		58	/* Slot Status 2 */
 
diff --git a/include/standard-headers/linux/vhost_types.h b/include/standard-headers/linux/vhost_types.h
index 5351fe172d..a678d8fbaa 100644
--- a/include/standard-headers/linux/vhost_types.h
+++ b/include/standard-headers/linux/vhost_types.h
@@ -119,6 +119,14 @@ struct vhost_scsi_target {
 	unsigned short reserved;
 };
 
+/* VHOST_VDPA specific definitions */
+
+struct vhost_vdpa_config {
+	uint32_t off;
+	uint32_t len;
+	uint8_t buf[0];
+};
+
 /* Feature bits */
 /* Log all write descriptors. Can be changed while device is active. */
 #define VHOST_F_LOG_ALL 26
diff --git a/include/standard-headers/linux/virtio_balloon.h b/include/standard-headers/linux/virtio_balloon.h
index 9375ca2a70..f343bfefd8 100644
--- a/include/standard-headers/linux/virtio_balloon.h
+++ b/include/standard-headers/linux/virtio_balloon.h
@@ -36,6 +36,7 @@
 #define VIRTIO_BALLOON_F_DEFLATE_ON_OOM	2 /* Deflate balloon on OOM */
 #define VIRTIO_BALLOON_F_FREE_PAGE_HINT	3 /* VQ to report free pages */
 #define VIRTIO_BALLOON_F_PAGE_POISON	4 /* Guest is using page poisoning */
+#define VIRTIO_BALLOON_F_REPORTING	5 /* Page reporting virtqueue */
 
 /* Size of a PFN in the balloon interface. */
 #define VIRTIO_BALLOON_PFN_SHIFT 12
@@ -47,8 +48,15 @@ struct virtio_balloon_config {
 	uint32_t num_pages;
 	/* Number of pages we've actually got in balloon. */
 	uint32_t actual;
-	/* Free page report command id, readonly by guest */
-	uint32_t free_page_report_cmd_id;
+	/*
+	 * Free page hint command id, readonly by guest.
+	 * Was previously named free_page_report_cmd_id so we
+	 * need to carry that name for legacy support.
+	 */
+	union {
+		uint32_t free_page_hint_cmd_id;
+		uint32_t free_page_report_cmd_id;	/* deprecated */
+	};
 	/* Stores PAGE_POISON if page poisoning is in use */
 	uint32_t poison_val;
 };
diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h
index 585e07b273..ecc27a1740 100644
--- a/include/standard-headers/linux/virtio_ids.h
+++ b/include/standard-headers/linux/virtio_ids.h
@@ -46,5 +46,6 @@
 #define VIRTIO_ID_IOMMU        23 /* virtio IOMMU */
 #define VIRTIO_ID_FS           26 /* virtio filesystem */
 #define VIRTIO_ID_PMEM         27 /* virtio pmem */
+#define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */
 
 #endif /* _LINUX_VIRTIO_IDS_H */
diff --git a/include/standard-headers/linux/virtio_net.h b/include/standard-headers/linux/virtio_net.h
index 260c3681d7..a90f79e1b1 100644
--- a/include/standard-headers/linux/virtio_net.h
+++ b/include/standard-headers/linux/virtio_net.h
@@ -57,6 +57,9 @@
 					 * Steering */
 #define VIRTIO_NET_F_CTRL_MAC_ADDR 23	/* Set MAC address */
 
+#define VIRTIO_NET_F_HASH_REPORT  57	/* Supports hash report */
+#define VIRTIO_NET_F_RSS	  60	/* Supports RSS RX steering */
+#define VIRTIO_NET_F_RSC_EXT	  61	/* extended coalescing info */
 #define VIRTIO_NET_F_STANDBY	  62	/* Act as standby for another device
 					 * with the same MAC.
 					 */
@@ -69,6 +72,17 @@
 #define VIRTIO_NET_S_LINK_UP	1	/* Link is up */
 #define VIRTIO_NET_S_ANNOUNCE	2	/* Announcement is needed */
 
+/* supported/enabled hash types */
+#define VIRTIO_NET_RSS_HASH_TYPE_IPv4          (1 << 0)
+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv4         (1 << 1)
+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv4         (1 << 2)
+#define VIRTIO_NET_RSS_HASH_TYPE_IPv6          (1 << 3)
+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv6         (1 << 4)
+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv6         (1 << 5)
+#define VIRTIO_NET_RSS_HASH_TYPE_IP_EX         (1 << 6)
+#define VIRTIO_NET_RSS_HASH_TYPE_TCP_EX        (1 << 7)
+#define VIRTIO_NET_RSS_HASH_TYPE_UDP_EX        (1 << 8)
+
 struct virtio_net_config {
 	/* The config defining mac address (if VIRTIO_NET_F_MAC) */
 	uint8_t mac[ETH_ALEN];
@@ -92,6 +106,12 @@ struct virtio_net_config {
 	 * Any other value stands for unknown.
 	 */
 	uint8_t duplex;
+	/* maximum size of RSS key */
+	uint8_t rss_max_key_size;
+	/* maximum number of indirection table entries */
+	uint16_t rss_max_indirection_table_length;
+	/* bitmask of supported VIRTIO_NET_RSS_HASH_ types */
+	uint32_t supported_hash_types;
 } QEMU_PACKED;
 
 /*
@@ -104,6 +124,7 @@ struct virtio_net_config {
 struct virtio_net_hdr_v1 {
 #define VIRTIO_NET_HDR_F_NEEDS_CSUM	1	/* Use csum_start, csum_offset */
 #define VIRTIO_NET_HDR_F_DATA_VALID	2	/* Csum is valid */
+#define VIRTIO_NET_HDR_F_RSC_INFO	4	/* rsc info in csum_ fields */
 	uint8_t flags;
 #define VIRTIO_NET_HDR_GSO_NONE		0	/* Not a GSO frame */
 #define VIRTIO_NET_HDR_GSO_TCPV4	1	/* GSO frame, IPv4 TCP (TSO) */
@@ -113,11 +134,46 @@ struct virtio_net_hdr_v1 {
 	uint8_t gso_type;
 	__virtio16 hdr_len;	/* Ethernet + IP + tcp/udp hdrs */
 	__virtio16 gso_size;	/* Bytes to append to hdr_len per frame */
-	__virtio16 csum_start;	/* Position to start checksumming from */
-	__virtio16 csum_offset;	/* Offset after that to place checksum */
+	union {
+		struct {
+			__virtio16 csum_start;
+			__virtio16 csum_offset;
+		};
+		/* Checksum calculation */
+		struct {
+			/* Position to start checksumming from */
+			__virtio16 start;
+			/* Offset after that to place checksum */
+			__virtio16 offset;
+		} csum;
+		/* Receive Segment Coalescing */
+		struct {
+			/* Number of coalesced segments */
+			uint16_t segments;
+			/* Number of duplicated acks */
+			uint16_t dup_acks;
+		} rsc;
+	};
 	__virtio16 num_buffers;	/* Number of merged rx buffers */
 };
 
+struct virtio_net_hdr_v1_hash {
+	struct virtio_net_hdr_v1 hdr;
+	uint32_t hash_value;
+#define VIRTIO_NET_HASH_REPORT_NONE            0
+#define VIRTIO_NET_HASH_REPORT_IPv4            1
+#define VIRTIO_NET_HASH_REPORT_TCPv4           2
+#define VIRTIO_NET_HASH_REPORT_UDPv4           3
+#define VIRTIO_NET_HASH_REPORT_IPv6            4
+#define VIRTIO_NET_HASH_REPORT_TCPv6           5
+#define VIRTIO_NET_HASH_REPORT_UDPv6           6
+#define VIRTIO_NET_HASH_REPORT_IPv6_EX         7
+#define VIRTIO_NET_HASH_REPORT_TCPv6_EX        8
+#define VIRTIO_NET_HASH_REPORT_UDPv6_EX        9
+	uint16_t hash_report;
+	uint16_t padding;
+};
+
 #ifndef VIRTIO_NET_NO_LEGACY
 /* This header comes first in the scatter-gather list.
  * For legacy virtio, if VIRTIO_F_ANY_LAYOUT is not negotiated, it must
@@ -228,7 +284,9 @@ struct virtio_net_ctrl_mac {
 
 /*
  * Control Receive Flow Steering
- *
+ */
+#define VIRTIO_NET_CTRL_MQ   4
+/*
  * The command VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET
  * enables Receive Flow Steering, specifying the number of the transmit and
  * receive queues that will be used. After the command is consumed and acked by
@@ -241,11 +299,47 @@ struct virtio_net_ctrl_mq {
 	__virtio16 virtqueue_pairs;
 };
 
-#define VIRTIO_NET_CTRL_MQ   4
  #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET        0
  #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MIN        1
  #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MAX        0x8000
 
+/*
+ * The command VIRTIO_NET_CTRL_MQ_RSS_CONFIG has the same effect as
+ * VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET does and additionally configures
+ * the receive steering to use a hash calculated for incoming packet
+ * to decide on receive virtqueue to place the packet. The command
+ * also provides parameters to calculate a hash and receive virtqueue.
+ */
+struct virtio_net_rss_config {
+	uint32_t hash_types;
+	uint16_t indirection_table_mask;
+	uint16_t unclassified_queue;
+	uint16_t indirection_table[1/* + indirection_table_mask */];
+	uint16_t max_tx_vq;
+	uint8_t hash_key_length;
+	uint8_t hash_key_data[/* hash_key_length */];
+};
+
+ #define VIRTIO_NET_CTRL_MQ_RSS_CONFIG          1
+
+/*
+ * The command VIRTIO_NET_CTRL_MQ_HASH_CONFIG requests the device
+ * to include in the virtio header of the packet the value of the
+ * calculated hash and the report type of hash. It also provides
+ * parameters for hash calculation. The command requires feature
+ * VIRTIO_NET_F_HASH_REPORT to be negotiated to extend the
+ * layout of virtio header as defined in virtio_net_hdr_v1_hash.
+ */
+struct virtio_net_hash_config {
+	uint32_t hash_types;
+	/* for compatibility with virtio_net_rss_config */
+	uint16_t reserved[4];
+	uint8_t hash_key_length;
+	uint8_t hash_key_data[/* hash_key_length */];
+};
+
+ #define VIRTIO_NET_CTRL_MQ_HASH_CONFIG         2
+
 /*
  * Control network offloads
  *
diff --git a/linux-headers/COPYING b/linux-headers/COPYING
index da4cb28feb..a635a38ef9 100644
--- a/linux-headers/COPYING
+++ b/linux-headers/COPYING
@@ -16,3 +16,5 @@ In addition, other licenses may also apply. Please see:
 	Documentation/process/license-rules.rst
 
 for more details.
+
+All contributions to the Linux Kernel are subject to this COPYING file.
diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
index 503d3f42da..3f3f780c8c 100644
--- a/linux-headers/asm-x86/kvm.h
+++ b/linux-headers/asm-x86/kvm.h
@@ -390,6 +390,7 @@ struct kvm_sync_regs {
 #define KVM_STATE_NESTED_GUEST_MODE	0x00000001
 #define KVM_STATE_NESTED_RUN_PENDING	0x00000002
 #define KVM_STATE_NESTED_EVMCS		0x00000004
+#define KVM_STATE_NESTED_MTF_PENDING	0x00000008
 
 #define KVM_STATE_NESTED_SMM_GUEST_MODE	0x00000001
 #define KVM_STATE_NESTED_SMM_VMXON	0x00000002
diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
index f6e06fcfbd..1e6c1a5867 100644
--- a/linux-headers/asm-x86/unistd_32.h
+++ b/linux-headers/asm-x86/unistd_32.h
@@ -429,4 +429,5 @@
 #define __NR_openat2 437
 #define __NR_pidfd_getfd 438
 
+
 #endif /* _ASM_X86_UNISTD_32_H */
diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
index 924f826d2d..6daf0aecb2 100644
--- a/linux-headers/asm-x86/unistd_64.h
+++ b/linux-headers/asm-x86/unistd_64.h
@@ -351,4 +351,5 @@
 #define __NR_openat2 437
 #define __NR_pidfd_getfd 438
 
+
 #endif /* _ASM_X86_UNISTD_64_H */
diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
index 010307757b..e3f17ef370 100644
--- a/linux-headers/asm-x86/unistd_x32.h
+++ b/linux-headers/asm-x86/unistd_x32.h
@@ -340,4 +340,5 @@
 #define __NR_preadv2 (__X32_SYSCALL_BIT + 546)
 #define __NR_pwritev2 (__X32_SYSCALL_BIT + 547)
 
+
 #endif /* _ASM_X86_UNISTD_X32_H */
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 265099100e..9804495a46 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -474,12 +474,17 @@ struct kvm_s390_mem_op {
 	__u32 size;		/* amount of bytes */
 	__u32 op;		/* type of operation */
 	__u64 buf;		/* buffer in userspace */
-	__u8 ar;		/* the access register number */
-	__u8 reserved[31];	/* should be set to 0 */
+	union {
+		__u8 ar;	/* the access register number */
+		__u32 sida_offset; /* offset into the sida */
+		__u8 reserved[32]; /* should be set to 0 */
+	};
 };
 /* types for kvm_s390_mem_op->op */
 #define KVM_S390_MEMOP_LOGICAL_READ	0
 #define KVM_S390_MEMOP_LOGICAL_WRITE	1
+#define KVM_S390_MEMOP_SIDA_READ	2
+#define KVM_S390_MEMOP_SIDA_WRITE	3
 /* flags for kvm_s390_mem_op->flags */
 #define KVM_S390_MEMOP_F_CHECK_ONLY		(1ULL << 0)
 #define KVM_S390_MEMOP_F_INJECT_EXCEPTION	(1ULL << 1)
@@ -1010,6 +1015,8 @@ struct kvm_ppc_resize_hpt {
 #define KVM_CAP_ARM_NISV_TO_USER 177
 #define KVM_CAP_ARM_INJECT_EXT_DABT 178
 #define KVM_CAP_S390_VCPU_RESETS 179
+#define KVM_CAP_S390_PROTECTED 180
+#define KVM_CAP_PPC_SECURE_GUEST 181
 
 #ifdef KVM_CAP_IRQ_ROUTING
 
@@ -1478,6 +1485,39 @@ struct kvm_enc_region {
 #define KVM_S390_NORMAL_RESET	_IO(KVMIO,   0xc3)
 #define KVM_S390_CLEAR_RESET	_IO(KVMIO,   0xc4)
 
+struct kvm_s390_pv_sec_parm {
+	__u64 origin;
+	__u64 length;
+};
+
+struct kvm_s390_pv_unp {
+	__u64 addr;
+	__u64 size;
+	__u64 tweak;
+};
+
+enum pv_cmd_id {
+	KVM_PV_ENABLE,
+	KVM_PV_DISABLE,
+	KVM_PV_SET_SEC_PARMS,
+	KVM_PV_UNPACK,
+	KVM_PV_VERIFY,
+	KVM_PV_PREP_RESET,
+	KVM_PV_UNSHARE_ALL,
+};
+
+struct kvm_pv_cmd {
+	__u32 cmd;	/* Command to be executed */
+	__u16 rc;	/* Ultravisor return code */
+	__u16 rrc;	/* Ultravisor return reason code */
+	__u64 data;	/* Data or address */
+	__u32 flags;    /* flags for future extensions. Must be 0 for now */
+	__u32 reserved[3];
+};
+
+/* Available with KVM_CAP_S390_PROTECTED */
+#define KVM_S390_PV_COMMAND		_IOWR(KVMIO, 0xc5, struct kvm_pv_cmd)
+
 /* Secure Encrypted Virtualization command */
 enum sev_cmd_id {
 	/* Guest initialization commands */
@@ -1628,4 +1668,7 @@ struct kvm_hyperv_eventfd {
 #define KVM_HYPERV_CONN_ID_MASK		0x00ffffff
 #define KVM_HYPERV_EVENTFD_DEASSIGN	(1 << 0)
 
+#define KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE    (1 << 0)
+#define KVM_DIRTY_LOG_INITIALLY_SET            (1 << 1)
+
 #endif /* __LINUX_KVM_H */
diff --git a/linux-headers/linux/mman.h b/linux-headers/linux/mman.h
index 1f6e2cd89c..51ea363759 100644
--- a/linux-headers/linux/mman.h
+++ b/linux-headers/linux/mman.h
@@ -5,8 +5,9 @@
 #include <asm/mman.h>
 #include <asm-generic/hugetlb_encode.h>
 
-#define MREMAP_MAYMOVE	1
-#define MREMAP_FIXED	2
+#define MREMAP_MAYMOVE		1
+#define MREMAP_FIXED		2
+#define MREMAP_DONTUNMAP	4
 
 #define OVERCOMMIT_GUESS		0
 #define OVERCOMMIT_ALWAYS		1
diff --git a/linux-headers/linux/userfaultfd.h b/linux-headers/linux/userfaultfd.h
index ce78878d12..8d3996eb82 100644
--- a/linux-headers/linux/userfaultfd.h
+++ b/linux-headers/linux/userfaultfd.h
@@ -19,7 +19,8 @@
  * means the userland is reading).
  */
 #define UFFD_API ((__u64)0xAA)
-#define UFFD_API_FEATURES (UFFD_FEATURE_EVENT_FORK |		\
+#define UFFD_API_FEATURES (UFFD_FEATURE_PAGEFAULT_FLAG_WP |	\
+			   UFFD_FEATURE_EVENT_FORK |		\
 			   UFFD_FEATURE_EVENT_REMAP |		\
 			   UFFD_FEATURE_EVENT_REMOVE |	\
 			   UFFD_FEATURE_EVENT_UNMAP |		\
@@ -34,7 +35,8 @@
 #define UFFD_API_RANGE_IOCTLS			\
 	((__u64)1 << _UFFDIO_WAKE |		\
 	 (__u64)1 << _UFFDIO_COPY |		\
-	 (__u64)1 << _UFFDIO_ZEROPAGE)
+	 (__u64)1 << _UFFDIO_ZEROPAGE |		\
+	 (__u64)1 << _UFFDIO_WRITEPROTECT)
 #define UFFD_API_RANGE_IOCTLS_BASIC		\
 	((__u64)1 << _UFFDIO_WAKE |		\
 	 (__u64)1 << _UFFDIO_COPY)
@@ -52,6 +54,7 @@
 #define _UFFDIO_WAKE			(0x02)
 #define _UFFDIO_COPY			(0x03)
 #define _UFFDIO_ZEROPAGE		(0x04)
+#define _UFFDIO_WRITEPROTECT		(0x06)
 #define _UFFDIO_API			(0x3F)
 
 /* userfaultfd ioctl ids */
@@ -68,6 +71,8 @@
 				      struct uffdio_copy)
 #define UFFDIO_ZEROPAGE		_IOWR(UFFDIO, _UFFDIO_ZEROPAGE,	\
 				      struct uffdio_zeropage)
+#define UFFDIO_WRITEPROTECT	_IOWR(UFFDIO, _UFFDIO_WRITEPROTECT, \
+				      struct uffdio_writeprotect)
 
 /* read() structure */
 struct uffd_msg {
@@ -203,13 +208,14 @@ struct uffdio_copy {
 	__u64 dst;
 	__u64 src;
 	__u64 len;
+#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
 	/*
-	 * There will be a wrprotection flag later that allows to map
-	 * pages wrprotected on the fly. And such a flag will be
-	 * available if the wrprotection ioctl are implemented for the
-	 * range according to the uffdio_register.ioctls.
+	 * UFFDIO_COPY_MODE_WP will map the page write protected on
+	 * the fly.  UFFDIO_COPY_MODE_WP is available only if the
+	 * write protected ioctl is implemented for the range
+	 * according to the uffdio_register.ioctls.
 	 */
-#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
+#define UFFDIO_COPY_MODE_WP			((__u64)1<<1)
 	__u64 mode;
 
 	/*
@@ -231,4 +237,24 @@ struct uffdio_zeropage {
 	__s64 zeropage;
 };
 
+struct uffdio_writeprotect {
+	struct uffdio_range range;
+/*
+ * UFFDIO_WRITEPROTECT_MODE_WP: set the flag to write protect a range,
+ * unset the flag to undo protection of a range which was previously
+ * write protected.
+ *
+ * UFFDIO_WRITEPROTECT_MODE_DONTWAKE: set the flag to avoid waking up
+ * any wait thread after the operation succeeds.
+ *
+ * NOTE: Write protecting a region (WP=1) is unrelated to page faults,
+ * therefore DONTWAKE flag is meaningless with WP=1.  Removing write
+ * protection (WP=0) in response to a page fault wakes the faulting
+ * task unless DONTWAKE is set.
+ */
+#define UFFDIO_WRITEPROTECT_MODE_WP		((__u64)1<<0)
+#define UFFDIO_WRITEPROTECT_MODE_DONTWAKE	((__u64)1<<1)
+	__u64 mode;
+};
+
 #endif /* _LINUX_USERFAULTFD_H */
diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
index fb10370d29..a41c452865 100644
--- a/linux-headers/linux/vfio.h
+++ b/linux-headers/linux/vfio.h
@@ -707,6 +707,43 @@ struct vfio_device_ioeventfd {
 
 #define VFIO_DEVICE_IOEVENTFD		_IO(VFIO_TYPE, VFIO_BASE + 16)
 
+/**
+ * VFIO_DEVICE_FEATURE - _IORW(VFIO_TYPE, VFIO_BASE + 17,
+ *			       struct vfio_device_feature)
+ *
+ * Get, set, or probe feature data of the device.  The feature is selected
+ * using the FEATURE_MASK portion of the flags field.  Support for a feature
+ * can be probed by setting both the FEATURE_MASK and PROBE bits.  A probe
+ * may optionally include the GET and/or SET bits to determine read vs write
+ * access of the feature respectively.  Probing a feature will return success
+ * if the feature is supported and all of the optionally indicated GET/SET
+ * methods are supported.  The format of the data portion of the structure is
+ * specific to the given feature.  The data portion is not required for
+ * probing.  GET and SET are mutually exclusive, except for use with PROBE.
+ *
+ * Return 0 on success, -errno on failure.
+ */
+struct vfio_device_feature {
+	__u32	argsz;
+	__u32	flags;
+#define VFIO_DEVICE_FEATURE_MASK	(0xffff) /* 16-bit feature index */
+#define VFIO_DEVICE_FEATURE_GET		(1 << 16) /* Get feature into data[] */
+#define VFIO_DEVICE_FEATURE_SET		(1 << 17) /* Set feature from data[] */
+#define VFIO_DEVICE_FEATURE_PROBE	(1 << 18) /* Probe feature support */
+	__u8	data[];
+};
+
+#define VFIO_DEVICE_FEATURE		_IO(VFIO_TYPE, VFIO_BASE + 17)
+
+/*
+ * Provide support for setting a PCI VF Token, which is used as a shared
+ * secret between PF and VF drivers.  This feature may only be set on a
+ * PCI SR-IOV PF when SR-IOV is enabled on the PF and there are no existing
+ * open VFs.  Data provided when setting this feature is a 16-byte array
+ * (__u8 b[16]), representing a UUID.
+ */
+#define VFIO_DEVICE_FEATURE_PCI_VF_TOKEN	(0)
+
 /* -------- API for Type1 VFIO IOMMU -------- */
 
 /**
diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h
index 40d028eed6..9fe72e4b13 100644
--- a/linux-headers/linux/vhost.h
+++ b/linux-headers/linux/vhost.h
@@ -116,4 +116,28 @@
 #define VHOST_VSOCK_SET_GUEST_CID	_IOW(VHOST_VIRTIO, 0x60, __u64)
 #define VHOST_VSOCK_SET_RUNNING		_IOW(VHOST_VIRTIO, 0x61, int)
 
+/* VHOST_VDPA specific defines */
+
+/* Get the device id. The device ids follow the same definition of
+ * the device id defined in virtio-spec.
+ */
+#define VHOST_VDPA_GET_DEVICE_ID	_IOR(VHOST_VIRTIO, 0x70, __u32)
+/* Get and set the status. The status bits follow the same definition
+ * of the device status defined in virtio-spec.
+ */
+#define VHOST_VDPA_GET_STATUS		_IOR(VHOST_VIRTIO, 0x71, __u8)
+#define VHOST_VDPA_SET_STATUS		_IOW(VHOST_VIRTIO, 0x72, __u8)
+/* Get and set the device config. The device config follows the same
+ * definition of the device config defined in virtio-spec.
+ */
+#define VHOST_VDPA_GET_CONFIG		_IOR(VHOST_VIRTIO, 0x73, \
+					     struct vhost_vdpa_config)
+#define VHOST_VDPA_SET_CONFIG		_IOW(VHOST_VIRTIO, 0x74, \
+					     struct vhost_vdpa_config)
+/* Enable/disable the ring. */
+#define VHOST_VDPA_SET_VRING_ENABLE	_IOW(VHOST_VIRTIO, 0x75, \
+					     struct vhost_vring_state)
+/* Get the max ring size. */
+#define VHOST_VDPA_GET_VRING_NUM	_IOR(VHOST_VIRTIO, 0x76, __u16)
+
 #endif
-- 
2.17.1

[PATCH 64/77] virtio-balloon: Replace free page hinting references to 'report' with 'hint'

[Michael Roth]

From: Alexander Duyck <alexander.h.duyck@linux.intel.com>

Recently a feature named Free Page Reporting was added to the virtio
balloon. In order to avoid any confusion we should drop the use of the word
'report' when referring to Free Page Hinting. So what this patch does is go
through and replace all instances of 'report' with 'hint" when we are
referring to free page hinting.

Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Message-Id: <20200720175128.21935.93927.stgit@localhost.localdomain>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 3219b42f025d4d7a9c463235e9f937ab38067de3)
 Conflicts:
	hw/virtio/virtio-balloon.c
	include/hw/virtio/virtio-balloon.h
*drop context deps on 91b867191d and 7483cbbaf8
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-balloon.c         | 76 +++++++++++++++---------------
 include/hw/virtio/virtio-balloon.h | 20 ++++----
 2 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 6c75db123e..035d4e0665 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -466,22 +466,22 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
             ret = false;
             goto out;
         }
-        if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
-            id == dev->free_page_report_cmd_id) {
-            dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
+        if (dev->free_page_hint_status == FREE_PAGE_HINT_S_REQUESTED &&
+            id == dev->free_page_hint_cmd_id) {
+            dev->free_page_hint_status = FREE_PAGE_HINT_S_START;
         } else {
             /*
              * Stop the optimization only when it has started. This
              * avoids a stale stop sign for the previous command.
              */
-            if (dev->free_page_report_status == FREE_PAGE_REPORT_S_START) {
-                dev->free_page_report_status = FREE_PAGE_REPORT_S_STOP;
+            if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
+                dev->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
             }
         }
     }
 
     if (elem->in_num) {
-        if (dev->free_page_report_status == FREE_PAGE_REPORT_S_START) {
+        if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
             qemu_guest_free_page_hint(elem->in_sg[0].iov_base,
                                       elem->in_sg[0].iov_len);
         }
@@ -507,11 +507,11 @@ static void virtio_ballloon_get_free_page_hints(void *opaque)
         qemu_mutex_unlock(&dev->free_page_lock);
         virtio_notify(vdev, vq);
       /*
-       * Start to poll the vq once the reporting started. Otherwise, continue
+       * Start to poll the vq once the hinting started. Otherwise, continue
        * only when there are entries on the vq, which need to be given back.
        */
     } while (continue_to_get_hints ||
-             dev->free_page_report_status == FREE_PAGE_REPORT_S_START);
+             dev->free_page_hint_status == FREE_PAGE_HINT_S_START);
     virtio_queue_set_notification(vq, 1);
 }
 
@@ -534,14 +534,14 @@ static void virtio_balloon_free_page_start(VirtIOBalloon *s)
 
     qemu_mutex_lock(&s->free_page_lock);
 
-    if (s->free_page_report_cmd_id == UINT_MAX) {
-        s->free_page_report_cmd_id =
-                       VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
+    if (s->free_page_hint_cmd_id == UINT_MAX) {
+        s->free_page_hint_cmd_id =
+                       VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN;
     } else {
-        s->free_page_report_cmd_id++;
+        s->free_page_hint_cmd_id++;
     }
 
-    s->free_page_report_status = FREE_PAGE_REPORT_S_REQUESTED;
+    s->free_page_hint_status = FREE_PAGE_HINT_S_REQUESTED;
     qemu_mutex_unlock(&s->free_page_lock);
 
     virtio_notify_config(vdev);
@@ -551,18 +551,18 @@ static void virtio_balloon_free_page_stop(VirtIOBalloon *s)
 {
     VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-    if (s->free_page_report_status != FREE_PAGE_REPORT_S_STOP) {
+    if (s->free_page_hint_status != FREE_PAGE_HINT_S_STOP) {
         /*
          * The lock also guarantees us that the
          * virtio_ballloon_get_free_page_hints exits after the
-         * free_page_report_status is set to S_STOP.
+         * free_page_hint_status is set to S_STOP.
          */
         qemu_mutex_lock(&s->free_page_lock);
         /*
-         * The guest hasn't done the reporting, so host sends a notification
-         * to the guest to actively stop the reporting.
+         * The guest isn't done hinting, so send a notification
+         * to the guest to actively stop the hinting.
          */
-        s->free_page_report_status = FREE_PAGE_REPORT_S_STOP;
+        s->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
         qemu_mutex_unlock(&s->free_page_lock);
         virtio_notify_config(vdev);
     }
@@ -572,20 +572,20 @@ static void virtio_balloon_free_page_done(VirtIOBalloon *s)
 {
     VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-    if (s->free_page_report_status != FREE_PAGE_REPORT_S_DONE) {
+    if (s->free_page_hint_status != FREE_PAGE_HINT_S_DONE) {
         /* See virtio_balloon_free_page_stop() */
         qemu_mutex_lock(&s->free_page_lock);
-        s->free_page_report_status = FREE_PAGE_REPORT_S_DONE;
+        s->free_page_hint_status = FREE_PAGE_HINT_S_DONE;
         qemu_mutex_unlock(&s->free_page_lock);
         virtio_notify_config(vdev);
     }
 }
 
 static int
-virtio_balloon_free_page_report_notify(NotifierWithReturn *n, void *data)
+virtio_balloon_free_page_hint_notify(NotifierWithReturn *n, void *data)
 {
     VirtIOBalloon *dev = container_of(n, VirtIOBalloon,
-                                      free_page_report_notify);
+                                      free_page_hint_notify);
     VirtIODevice *vdev = VIRTIO_DEVICE(dev);
     PrecopyNotifyData *pnd = data;
 
@@ -643,7 +643,7 @@ static size_t virtio_balloon_config_size(VirtIOBalloon *s)
     if (virtio_has_feature(features, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) {
         return offsetof(struct virtio_balloon_config, poison_val);
     }
-    return offsetof(struct virtio_balloon_config, free_page_report_cmd_id);
+    return offsetof(struct virtio_balloon_config, free_page_hint_cmd_id);
 }
 
 static void virtio_balloon_get_config(VirtIODevice *vdev, uint8_t *config_data)
@@ -654,14 +654,14 @@ static void virtio_balloon_get_config(VirtIODevice *vdev, uint8_t *config_data)
     config.num_pages = cpu_to_le32(dev->num_pages);
     config.actual = cpu_to_le32(dev->actual);
 
-    if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED) {
-        config.free_page_report_cmd_id =
-                       cpu_to_le32(dev->free_page_report_cmd_id);
-    } else if (dev->free_page_report_status == FREE_PAGE_REPORT_S_STOP) {
-        config.free_page_report_cmd_id =
+    if (dev->free_page_hint_status == FREE_PAGE_HINT_S_REQUESTED) {
+        config.free_page_hint_cmd_id =
+                       cpu_to_le32(dev->free_page_hint_cmd_id);
+    } else if (dev->free_page_hint_status == FREE_PAGE_HINT_S_STOP) {
+        config.free_page_hint_cmd_id =
                        cpu_to_le32(VIRTIO_BALLOON_CMD_ID_STOP);
-    } else if (dev->free_page_report_status == FREE_PAGE_REPORT_S_DONE) {
-        config.free_page_report_cmd_id =
+    } else if (dev->free_page_hint_status == FREE_PAGE_HINT_S_DONE) {
+        config.free_page_hint_cmd_id =
                        cpu_to_le32(VIRTIO_BALLOON_CMD_ID_DONE);
     }
 
@@ -762,14 +762,14 @@ static int virtio_balloon_post_load_device(void *opaque, int version_id)
     return 0;
 }
 
-static const VMStateDescription vmstate_virtio_balloon_free_page_report = {
+static const VMStateDescription vmstate_virtio_balloon_free_page_hint = {
     .name = "virtio-balloon-device/free-page-report",
     .version_id = 1,
     .minimum_version_id = 1,
     .needed = virtio_balloon_free_page_support,
     .fields = (VMStateField[]) {
-        VMSTATE_UINT32(free_page_report_cmd_id, VirtIOBalloon),
-        VMSTATE_UINT32(free_page_report_status, VirtIOBalloon),
+        VMSTATE_UINT32(free_page_hint_cmd_id, VirtIOBalloon),
+        VMSTATE_UINT32(free_page_hint_status, VirtIOBalloon),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -785,7 +785,7 @@ static const VMStateDescription vmstate_virtio_balloon_device = {
         VMSTATE_END_OF_LIST()
     },
     .subsections = (const VMStateDescription * []) {
-        &vmstate_virtio_balloon_free_page_report,
+        &vmstate_virtio_balloon_free_page_hint,
         NULL
     }
 };
@@ -823,7 +823,7 @@ static void virtio_balloon_device_realize(DeviceState *dev, Error **errp)
                            VIRTIO_BALLOON_F_FREE_PAGE_HINT)) {
         s->free_page_vq = virtio_add_queue(vdev, VIRTQUEUE_MAX_SIZE,
                                            virtio_balloon_handle_free_page_vq);
-        precopy_add_notifier(&s->free_page_report_notify);
+        precopy_add_notifier(&s->free_page_hint_notify);
 
         object_ref(OBJECT(s->iothread));
         s->free_page_bh = aio_bh_new(iothread_get_aio_context(s->iothread),
@@ -841,7 +841,7 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp)
         qemu_bh_delete(s->free_page_bh);
         object_unref(OBJECT(s->iothread));
         virtio_balloon_free_page_stop(s);
-        precopy_remove_notifier(&s->free_page_report_notify);
+        precopy_remove_notifier(&s->free_page_hint_notify);
     }
     balloon_stats_destroy_timer(s);
     qemu_remove_balloon_handler(s);
@@ -908,8 +908,8 @@ static void virtio_balloon_instance_init(Object *obj)
 
     qemu_mutex_init(&s->free_page_lock);
     qemu_cond_init(&s->free_page_cond);
-    s->free_page_report_cmd_id = VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
-    s->free_page_report_notify.notify = virtio_balloon_free_page_report_notify;
+    s->free_page_hint_cmd_id = VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN;
+    s->free_page_hint_notify.notify = virtio_balloon_free_page_hint_notify;
 
     object_property_add(obj, "guest-stats", "guest statistics",
                         balloon_stats_get_all, NULL, NULL, s, NULL);
diff --git a/include/hw/virtio/virtio-balloon.h b/include/hw/virtio/virtio-balloon.h
index d1c968d237..108cff97e7 100644
--- a/include/hw/virtio/virtio-balloon.h
+++ b/include/hw/virtio/virtio-balloon.h
@@ -23,7 +23,7 @@
 #define VIRTIO_BALLOON(obj) \
         OBJECT_CHECK(VirtIOBalloon, (obj), TYPE_VIRTIO_BALLOON)
 
-#define VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN 0x80000000
+#define VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN 0x80000000
 
 typedef struct virtio_balloon_stat VirtIOBalloonStat;
 
@@ -33,20 +33,20 @@ typedef struct virtio_balloon_stat_modern {
        uint64_t val;
 } VirtIOBalloonStatModern;
 
-enum virtio_balloon_free_page_report_status {
-    FREE_PAGE_REPORT_S_STOP = 0,
-    FREE_PAGE_REPORT_S_REQUESTED = 1,
-    FREE_PAGE_REPORT_S_START = 2,
-    FREE_PAGE_REPORT_S_DONE = 3,
+enum virtio_balloon_free_page_hint_status {
+    FREE_PAGE_HINT_S_STOP = 0,
+    FREE_PAGE_HINT_S_REQUESTED = 1,
+    FREE_PAGE_HINT_S_START = 2,
+    FREE_PAGE_HINT_S_DONE = 3,
 };
 
 typedef struct VirtIOBalloon {
     VirtIODevice parent_obj;
     VirtQueue *ivq, *dvq, *svq, *free_page_vq;
-    uint32_t free_page_report_status;
+    uint32_t free_page_hint_status;
     uint32_t num_pages;
     uint32_t actual;
-    uint32_t free_page_report_cmd_id;
+    uint32_t free_page_hint_cmd_id;
     uint64_t stats[VIRTIO_BALLOON_S_NR];
     VirtQueueElement *stats_vq_elem;
     size_t stats_vq_offset;
@@ -55,7 +55,7 @@ typedef struct VirtIOBalloon {
     QEMUBH *free_page_bh;
     /*
      * Lock to synchronize threads to access the free page reporting related
-     * fields (e.g. free_page_report_status).
+     * fields (e.g. free_page_hint_status).
      */
     QemuMutex free_page_lock;
     QemuCond  free_page_cond;
@@ -64,7 +64,7 @@ typedef struct VirtIOBalloon {
      * stopped.
      */
     bool block_iothread;
-    NotifierWithReturn free_page_report_notify;
+    NotifierWithReturn free_page_hint_notify;
     int64_t stats_last_update;
     int64_t stats_poll_interval;
     uint32_t host_features;
-- 
2.17.1

[PATCH 65/77] virtio: list legacy-capable devices

[Michael Roth]

From: Cornelia Huck <cohuck@redhat.com>

Several types of virtio devices had already been around before the
virtio standard was specified. These devices support virtio in legacy
(and transitional) mode.

Devices that have been added in the virtio standard are considered
non-transitional (i.e. with no support for legacy virtio).

Provide a helper function so virtio transports can figure that out
easily.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20200707105446.677966-2-cohuck@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 7c78bdd7a3d0086179331f10d1f6f8cdac34731a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c         | 25 +++++++++++++++++++++++++
 include/hw/virtio/virtio.h |  2 ++
 2 files changed, 27 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index b6c8ef5bc0..398fd4a305 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -27,6 +27,7 @@
 #include "hw/virtio/virtio-access.h"
 #include "sysemu/dma.h"
 #include "sysemu/runstate.h"
+#include "standard-headers/linux/virtio_ids.h"
 
 /*
  * The alignment to use between consumer and producer parts of vring.
@@ -3278,6 +3279,30 @@ void virtio_init(VirtIODevice *vdev, const char *name,
     vdev->use_guest_notifier_mask = true;
 }
 
+/*
+ * Only devices that have already been around prior to defining the virtio
+ * standard support legacy mode; this includes devices not specified in the
+ * standard. All newer devices conform to the virtio standard only.
+ */
+bool virtio_legacy_allowed(VirtIODevice *vdev)
+{
+    switch (vdev->device_id) {
+    case VIRTIO_ID_NET:
+    case VIRTIO_ID_BLOCK:
+    case VIRTIO_ID_CONSOLE:
+    case VIRTIO_ID_RNG:
+    case VIRTIO_ID_BALLOON:
+    case VIRTIO_ID_RPMSG:
+    case VIRTIO_ID_SCSI:
+    case VIRTIO_ID_9P:
+    case VIRTIO_ID_RPROC_SERIAL:
+    case VIRTIO_ID_CAIF:
+        return true;
+    default:
+        return false;
+    }
+}
+
 hwaddr virtio_queue_get_desc_addr(VirtIODevice *vdev, int n)
 {
     return vdev->vq[n].vring.desc;
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index b69d517496..198ffc7626 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -396,4 +396,6 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
     return unlikely(vdev->disabled || vdev->broken);
 }
 
+bool virtio_legacy_allowed(VirtIODevice *vdev);
+
 #endif
-- 
2.17.1

[PATCH 66/77] virtio: verify that legacy support is not accidentally on

[Michael Roth]

From: Cornelia Huck <cohuck@redhat.com>

If a virtio device does not have legacy support, make sure that
it is actually off, and bail out if not.

For virtio-pci, this means that any device without legacy support
that has been specified to modern-only (or that has been forced
to it) will work.

For virtio-ccw, this duplicates the check that is currently done
prior to realization for any device that explicitly specified no
support for legacy.

This catches devices that have not been fenced properly.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20200707105446.677966-3-cohuck@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9b3a35ec8236933ab958a4c3ad883163f1ca66e7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/virtio-ccw.c  | 6 ++++++
 hw/virtio/virtio-pci.c | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 64f928fc7d..c069719429 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -1119,6 +1119,12 @@ static void virtio_ccw_device_plugged(DeviceState *d, Error **errp)
         dev->max_rev = 0;
     }
 
+    if (!virtio_ccw_rev_max(dev) && !virtio_legacy_allowed(vdev)) {
+        error_setg(errp, "Invalid value of property max_rev "
+                   "(is %d expected >= 1)", virtio_ccw_rev_max(dev));
+        return;
+    }
+
     if (virtio_get_num_queues(vdev) > VIRTIO_QUEUE_MAX) {
         error_setg(errp, "The number of virtqueues %d "
                    "exceeds virtio limit %d", n,
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 4cb784389c..2ca266e1cb 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1565,6 +1565,10 @@ static void virtio_pci_device_plugged(DeviceState *d, Error **errp)
     }
 
     if (legacy) {
+        if (!virtio_legacy_allowed(vdev)) {
+            error_setg(errp, "device is modern-only, use disable-legacy=on");
+            return;
+        }
         if (virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM)) {
             error_setg(errp, "VIRTIO_F_IOMMU_PLATFORM was supported by"
                        " neither legacy nor transitional device");
-- 
2.17.1

[PATCH 67/77] intel_iommu: Use correct shift for 256 bits qi descriptor

[Michael Roth]

From: Liu Yi L <yi.l.liu@intel.com>

In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced
in VTD_IQA_REG. Software could set this bit to tell VT-d the QI descriptor
from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should
be 5 when descriptor size is 256 bits.

This patch adds the DW bit check when deciding the shift used to update
VTD_IQH_REG.

Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
Message-Id: <1593850035-35483-1-git-send-email-yi.l.liu@intel.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit a4544c45e109ceee87ee8c19baff28be3890d788)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/intel_iommu.c          | 7 ++++++-
 hw/i386/intel_iommu_internal.h | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index df7ad254ac..8703a2da42 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -2549,6 +2549,11 @@ static bool vtd_process_inv_desc(IntelIOMMUState *s)
 /* Try to fetch and process more Invalidation Descriptors */
 static void vtd_fetch_inv_desc(IntelIOMMUState *s)
 {
+    int qi_shift;
+
+    /* Refer to 10.4.23 of VT-d spec 3.0 */
+    qi_shift = s->iq_dw ? VTD_IQH_QH_SHIFT_5 : VTD_IQH_QH_SHIFT_4;
+
     trace_vtd_inv_qi_fetch();
 
     if (s->iq_tail >= s->iq_size) {
@@ -2567,7 +2572,7 @@ static void vtd_fetch_inv_desc(IntelIOMMUState *s)
         }
         /* Must update the IQH_REG in time */
         vtd_set_quad_raw(s, DMAR_IQH_REG,
-                         (((uint64_t)(s->iq_head)) << VTD_IQH_QH_SHIFT) &
+                         (((uint64_t)(s->iq_head)) << qi_shift) &
                          VTD_IQH_QH_MASK);
     }
 }
diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
index 862033ebe6..3d5487fe2c 100644
--- a/hw/i386/intel_iommu_internal.h
+++ b/hw/i386/intel_iommu_internal.h
@@ -230,7 +230,8 @@
 #define VTD_IQA_DW_MASK             0x800
 
 /* IQH_REG */
-#define VTD_IQH_QH_SHIFT            4
+#define VTD_IQH_QH_SHIFT_4          4
+#define VTD_IQH_QH_SHIFT_5          5
 #define VTD_IQH_QH_MASK             0x7fff0ULL
 
 /* ICS_REG */
-- 
2.17.1

[PATCH 68/77] virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.

[Michael Roth]

From: Andrew Melnychenko <andrew@daynix.com>

There is an issue when callback may be called with invalid vdev.
It happens on unplug when vdev already deleted and VirtIOPciProxy is not.
So now, callbacks accept proxy device, and vdev retrieved from it.
Technically memio callbacks should be removed during the flatview update,
but memoryregions remain til PCI device(and it's address space) completely deleted.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1716352

Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
Message-Id: <20200706112123.971087-1-andrew@daynix.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit ccec7e9603f446fe75c6c563ba335c00cfda6a06)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-pci.c | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 2ca266e1cb..ef11c66a21 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1317,11 +1317,12 @@ static uint64_t virtio_pci_notify_read(void *opaque, hwaddr addr,
 static void virtio_pci_notify_write(void *opaque, hwaddr addr,
                                     uint64_t val, unsigned size)
 {
-    VirtIODevice *vdev = opaque;
-    VirtIOPCIProxy *proxy = VIRTIO_PCI(DEVICE(vdev)->parent_bus->parent);
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+
     unsigned queue = addr / virtio_pci_queue_mem_mult(proxy);
 
-    if (queue < VIRTIO_QUEUE_MAX) {
+    if (vdev != NULL && queue < VIRTIO_QUEUE_MAX) {
         virtio_queue_notify(vdev, queue);
     }
 }
@@ -1329,10 +1330,12 @@ static void virtio_pci_notify_write(void *opaque, hwaddr addr,
 static void virtio_pci_notify_write_pio(void *opaque, hwaddr addr,
                                         uint64_t val, unsigned size)
 {
-    VirtIODevice *vdev = opaque;
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+
     unsigned queue = val;
 
-    if (queue < VIRTIO_QUEUE_MAX) {
+    if (vdev != NULL && queue < VIRTIO_QUEUE_MAX) {
         virtio_queue_notify(vdev, queue);
     }
 }
@@ -1356,9 +1359,14 @@ static void virtio_pci_isr_write(void *opaque, hwaddr addr,
 static uint64_t virtio_pci_device_read(void *opaque, hwaddr addr,
                                        unsigned size)
 {
-    VirtIODevice *vdev = opaque;
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
     uint64_t val = 0;
 
+    if (vdev == NULL) {
+        return val;
+    }
+
     switch (size) {
     case 1:
         val = virtio_config_modern_readb(vdev, addr);
@@ -1376,7 +1384,13 @@ static uint64_t virtio_pci_device_read(void *opaque, hwaddr addr,
 static void virtio_pci_device_write(void *opaque, hwaddr addr,
                                     uint64_t val, unsigned size)
 {
-    VirtIODevice *vdev = opaque;
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+
+    if (vdev == NULL) {
+        return;
+    }
+
     switch (size) {
     case 1:
         virtio_config_modern_writeb(vdev, addr, val);
@@ -1453,19 +1467,19 @@ static void virtio_pci_modern_regions_init(VirtIOPCIProxy *proxy)
 
     memory_region_init_io(&proxy->device.mr, OBJECT(proxy),
                           &device_ops,
-                          virtio_bus_get_device(&proxy->bus),
+                          proxy,
                           "virtio-pci-device",
                           proxy->device.size);
 
     memory_region_init_io(&proxy->notify.mr, OBJECT(proxy),
                           &notify_ops,
-                          virtio_bus_get_device(&proxy->bus),
+                          proxy,
                           "virtio-pci-notify",
                           proxy->notify.size);
 
     memory_region_init_io(&proxy->notify_pio.mr, OBJECT(proxy),
                           &notify_pio_ops,
-                          virtio_bus_get_device(&proxy->bus),
+                          proxy,
                           "virtio-pci-notify-pio",
                           proxy->notify_pio.size);
 }
-- 
2.17.1

[PATCH 69/77] libvhost-user: Report descriptor index on panic

[Michael Roth]

From: Philippe Mathieu-Daudé <philmd@redhat.com>

We want to report the index of the descriptor,
not its pointer.

Fixes: 7b2e5c65f4 ("contrib: add libvhost-user")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200723171935.18535-1-philmd@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8fe9805c73c277dc2feeaa83de73d6a58bf23f39)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 contrib/libvhost-user/libvhost-user.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
index 3bca996c62..301f6d68b3 100644
--- a/contrib/libvhost-user/libvhost-user.c
+++ b/contrib/libvhost-user/libvhost-user.c
@@ -1867,7 +1867,7 @@ virtqueue_get_head(VuDev *dev, VuVirtq *vq,
 
     /* If their number is silly, that's a fatal mistake. */
     if (*head >= vq->vring.num) {
-        vu_panic(dev, "Guest says index %u is available", head);
+        vu_panic(dev, "Guest says index %u is available", *head);
         return false;
     }
 
@@ -1926,7 +1926,7 @@ virtqueue_read_next_desc(VuDev *dev, struct vring_desc *desc,
     smp_wmb();
 
     if (*next >= max) {
-        vu_panic(dev, "Desc next is %u", next);
+        vu_panic(dev, "Desc next is %u", *next);
         return VIRTQUEUE_READ_DESC_ERROR;
     }
 
-- 
2.17.1

[PATCH 70/77] Update OpenBIOS images to 7f28286f built from submodule.

[Michael Roth]

From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 54414d0fb11314ede939ec80238787c5b2079f4e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 pc-bios/openbios-ppc     | Bin 696912 -> 696912 bytes
 pc-bios/openbios-sparc32 | Bin 382048 -> 382048 bytes
 pc-bios/openbios-sparc64 | Bin 1593408 -> 1593408 bytes
 roms/openbios            |   2 +-
 4 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pc-bios/openbios-ppc b/pc-bios/openbios-ppc
index 1c9ab09af72daa1e382a95334e90a1d255d2a9bd..def6d4cf63380d2601f35e2320b38055b8c4d6f1 100644
GIT binary patch
delta 30445
zcmZr&4_s8m_P;Y+6bNilNKnv4Q9w~qF&DvH5_4^_Ffp;Pmc+ytzOe9x&&6E?3xDAY
zUG!jLVPRomVQ7nmg-`uuFM45V;R_WDi%JX2KUnPE-*@g^je5WReBj<Wb7tn8Gv}N+
zb7pp1kBn(OGN%5Ob-W<lQM>L%7T;hh{(!S=hwkYI_|qYd=4XaA{Lj+?jCD0sKJzSN
zI~|c59%t<h6&toQmeCORtQTYHj`*@^+#ce{!{e`^j=Hkh!N(o%OOjdnbyQNdq)W0Z
z-6p=`w8LlP1Kbwo$liEouu-xW4lOWPB*`SLKWC_xB!k`Pcz0tfyWlAM$C~g{qI$y&
zNt&=hl8o<3x`Zq_&GzyS1twmY;fQ?hOSW-yx!HGILYAa6aci7I|DO?#zm*63&eb4m
zx*e_04R<t@zsuL?8uB*1>cuuXLbgn03mj=%Ca_Ts`<6A#>ae^v%rRu^Zr0>DvUNVo
zMVn!c+i4TZ;_Vx<^Zby8oXY1o+vBk8iFW9>4`)jq#_bE|UAJ}qRsgzXl?RrYWq-k5
zlc1L*+t(U=TZH7F*a80d;-U$~DiiU*WhRz+d~C7AthS*AU`!8KKfo?Jy0$ynaz}Ml
zvF`zs)N#<nk^&sDI})etw687FsXb?ZS%6;S&B~=vt)~Ygs^6FDt=U5hfD;5b1Kiuh
z9`too?U=x(H?-_n#@Nb+_!kE-o)hdysh$v#wa#rnq7w9ioVo6d{TP}^(~?=7Wr-b4
zGXfnI)o-$+j+C7a_OYXF=TmHzBkiRLf!jPxWB}ja#O|NvD1T`r+tsk|r6}f|Ym)xs
z?dW*<pFEv8YHB_RShTj}<$|>@zmEA@z#Ij;W(MxC&HAjs1{Q21KLYeVm!oCZSa#ac
zvny)Kdh6<;tCL@nYSDLp6T5Gf)v79oFW#36K>_ZE_r=z~tM9kqeV!xzm6-uotOY|0
zgvd>NzOSR^l^Lv5ojU&NDe&F?>Vu4>idk;BfA<#V?Q4>*WjVTETg$Wj9eJ-`<(3df
zNBIcH|I{tQv|9Ge4D2?s*+oKyv_2nB-TcOgewIc|#$43T4*2l*x`$d(cbg^2#AdCC
z^^zpe?=NJD^775)dgzMm(7iD@aQz=E6OV7M)H^cXc$rxndf&K(X<FAXx;~2qE*8^V
zIQ{w?7)5X54|G!8XcpwC+dDS&q;<{Ef(b9)Fa}Al5%@r<qkHcM?1-cBt+TANp|W8R
zV{MMQeG6H#L*74w#XC~=Pk<!y_rJ?odP7{}tBln)v>h1CScRke9b&x{=VF5$FTPvB
zOhR%E_cdMV7an0P9$8>ke%@pI=C=Y{@z({mnjeI=L!0mVj>-@5VUBf&m$IscuES4z
z@ma9_4<@iKNA(9$tl4o4|0^51KlqG+t|K3sSwVyDU(Yet>8SqbUNP)PW{j28@;a;1
z23J~4Ahg>#tl`m*1Gw)zjr-}cYM#%3GRk+321#lZNRDqlnZk0&@(UYEXK!KNj-=K}
zJPGsJTFlBDF1L<l?2tqM=}@-Pk@RUI>va@-I-4~%G=F+8XQ>Uklec=a9Jq@_HqT)^
zbDQId|LkHG&G5fm&yH>06V}l7<ujZ`IxJ@}M_b!@s3ZLBJU$L?<m_`i_<Y|v(mc|b
z9JT$VuNJcl4dq`=V63^J`D?h#Bvqn+Iq$=UjrNCwunQ5ImEJ8d+11JGq#&*Rzzq%M
z-<)AQQf|oWO5~85@IL?gKAZDkN8AsC1D1mSI57<-9ueY5|KY{(-4luxMOaDl3sR&u
zIb5<W`4Skit3h`mim?cX;o?(lilhFb4PGzq$A^PY8thW$c9)kThPCY#&h(ZTN6n89
z@LPg6|1_S52RY(?8p~Xc%%99`ucP*-k)a!{`GQh*8PvyudVkx@&(O?&m80{gN4S5W
z!_+;}b`gZEHogR%gqE!R`duLO|4?Jica%*T0?*`bM+Zi9;H!0T%K=ZDkisKR-e|L>
z@bHt+I;91;DSdD^-oRa(z5NF6^0iC03*2h^3y$x*1Cq0D;zT}s184f$k<SX8eDs&v
zr@tvG?m8*N7WvT)+(3un(nxmEk$LG1_X~F<{roT9FVNxhi-5)cqA){4?B#nnzfE#j
zuRg`LIWAv~f`WxzyMIWq&a5~N+Rnr6+l7I6C0myd6~lIr<#it7sJS*2eKcR22}_rI
z9t&J$J=l>ZP_0Y84>EB+%VF>N01nr5eMVrneGOKSU6>u%or(2$J1Va~8Mw)A1r!4a
z`I^|(OOCK#heNrNe!Z6+aFqS}!?;oQcj2;9J}a=>gaf*=z9<ppVw05o9*?%KwWpYs
z&DXWMYrYLNzdgy=7DtFHk##%LT_3Rohu%E_kTiD`Tj3~hKZb5Q-6QzV-VPsSK3m?9
zsm$c8m8uzgk?kTQXT<8Mjk73L`nDH)ABIlNGW&@22m__pyxA01<LvNehvAK=ra#-x
z3{ImDb1+s$Cw!U0YUqR?`<CsardwDsOCqB`bFy4#k3Sp4@$|oy!HSY7Nypx01>zAy
z5rJ&eu<rtk9+ae_yCrE8p5?0%H&`S|n1_k|T1~Bi>?u}Arh)8rR!)}(vU{0<QU<XZ
zEX!Fkh`}T+qzlG~T~rawUS+YAbQ`EiqK?0_V463W-ObvaRf7d$Iz@+qvogvnWP0)$
z!XDv22T}PTHp2OjA#4<5$5dY7XST4@loQ5g246B%!w3-<sP=VT%;1T+)Evg5LigLY
zHye#rQkaSYwNuT5oe0<(&XxtvO0wLtM=)Voa%q@}{n+g+2xmiC@?O=-wLl?cM)fUw
zmK?k^Om+P1GnYw{@@?zknqPssh!v21dJ0M&q^_}AIe|_LV-GST#SLde1LvXEWGIq+
zH0<MhDRVe`e9CcvqknI7d?KtxR$U1@HPN%^8|+0=rf6p0DOpVHc)(UYCg?kg)3d>$
zM~fmPi|yduFmvSy8vARF+YXQg)!uUfZr%DRgYfjs7LcuWuhRF0i^3wn=N>Xdu*b%&
z@(dPce^Cmuzc1;au>RH^BZ5rq)F^aPs`jn5oI|Y<==(Ils`GaGjbN#qcLi+?#6W3`
z`O)7ZSr`9S=d_GsZ!(tS)J3t+Sj43paVNqZW|BTR2VbDZp(t~dkCPn3p7cGZ%}?t%
zvd6Fqqjqb>Pp*K3Y+;{<!x9q?*{n2f(zNfZ8mgPY#uFdI5KMvJU|KYW4GB%afQW6B
z=0u|;726<v;icIp5mYvY4QCNl2Q2=HHys<pMht8X2h%>P2PlENXP<mWy<=cE3#fc7
z8ys*#%mI7{f}xL()4s9nVU|Zhu`H2Ip|n^wIAWF>mc9()M6AsIy-BQAAW&a8(v0%i
z9<j90E3vGFpY^BwacnZ{pxSY4J`}xo90atFTE|0PN1XNv>=VWoQ`$tfkY!QrM7E4w
zcj_hyXbg2sW{>hCj7;&+gH2Qr51ZQS?2Tvl^Se*V#qUZ%LaxFi*}M)H*!H{ggqp71
z^*V@9)zo0f!sKonsX0w{c)F-lRaxMpor!(+F;z`vU$B*wZ(uL8kDVb2>|4%CwkCmJ
z6aEjQ2a;GAZ}rD}7*!;(`My<fb|EJAb`f<afx@>#DPuYt%|DTy_US?mpt3XA82+)2
zGH0+)0{5EOqGS`>anZ!ewwYM}51mOy_9ADss%`&zCv5vNmCuCNTTF2&Y;2%dW(uGL
zA=)hN+e5i2%*HaD7g8XB=~$K#2)-a0ffBv8_+@bM))o&e7O+?kOx+OxF9fhS4{Qb1
z-NhD$@3s}^8IyM?El(_$d=Mjq0mZP^s~BDFz3$Y{W{7XHDAfetJCE{B>>2hU^_tkz
zeupLSo@rvc&pXTJFoze*CjDH@?@CIa%VxskHUEu;Irq(Fw=h;o&G)dg>?l>=%Rc8#
zK0+&;Thmw<<L}61zmGMrG*zf+^C8p@bR1@4FCL}3`Rv_*Q6dyomvQ!LDCMWK;^3n~
zEEBeC(WzGTN)h=lU~5>LvvdJ_%qM24&`7glje#~AP3(;V`+Ig{VU)R`u-{Cf1Yw%S
zzBZl09%AG9YXOw{5Y+MjRg1?`y8IA(Yuc7zPavwpj-kMwCHWYZNUR)B6RWs>vrf#>
zAL~w2$HTC;gIg_ZS;B&wi2vP5!p*w>?j)S5E$GBW%@#I0VgF6c|LVoD?PlG7_2MWb
zV-|WTBuf^1ET973S0}JdZ1Z_)%fj>?Ao&sY7~4&GkHEX078bm1x}*rxH!IO6g*9WA
zJDk;zz$CFw`D9}yYjM_R!yB+n(me{Bu~OHg@cc!TvJB8_s#yjV*yHS4#=N}P3g?Bt
zur=P{ml7orj$Z4)R9M#D<-jyBNewd@ouraH82)i*dmejOW+`GB96=AQV!;s!(8yjj
z-Z`xK8MBhBQYDsR6We;hS+PneSvyt#4SXCTV=j-RxTin}jOi)%6|e9Y`}GmqkC~P4
zSJ+=<>SiXrM7rH1Wr<i{r}gA$(a=hO7V{^x-F?tX>BQgJ_<q~5GkznBeAckhw{`4>
zO39X`60_SFcszI1tUMM-DQlQHG}f%-h)s2zS;<-?q^XUzxt40zu)jb0e01>(b|3o-
zMe#+Ml4Spv6ls#42ro*4A2muALkD0l6d5pW>Q=wVSBexf<k%_s<Il$=<;*p7c>T@L
z%<>G?URNQ~ZgsttB8BFA#@f^(tTB90F_RL{Y%5DI;p4MQ?8t?@dQM17Pi<B<jGtLW
zJyte?pS24)^sDSKE5l+ar4SD6w{praU}J2RH46{&@yia{CC$7}9|GU~tWUu}RdYMN
zH*dM5gBvLWJl+GFm<WQ!awM!a(Sq%NHJHJA<Eal6J66Q=*}|gXrP3xmuRcu^wrSpN
z+BHQHe*J#iwSIRXxZl4SoC_&zK8GE`n2!oPQcAL!K2x`iwnx8I7Xp*?&*hMUQIq&{
z9Y}=u8sC!&3{{es7(Bg1^w+)#W!d_-p=wzps=W{}ACU_XI37ZisbV#|+pj%bFakPy
zscSWx#M=*0*x%V?da{t|BaWCA*J3C^q`@vj5x&V1PZ0zF7LD>e+E>U%!bI8%*#zIr
zM7z*o>mJgrWi!T2ht#-07E_pbP*KdvmoW<u%6E+2p}3NFcvYa@PczIf1IfA;PWb@U
ztVMs}bZjk_sX~%%cqEh2#%>$&h|8>m?oh*=7kD$&2yywN2i5+utuiZ1k5hq-McMXh
zT`mnQUR#u^1_Q{On3W|l_V<d?Y)^l!8LAoym9E!tv(NXzW57%Q6W(GE-ofAT9ytZP
zj6dN`v3+e5jwX9cAH=;t%={B#fTzP1eegB_&+<pSXU==@X7$0#0$%o?@D6(L!fkyJ
z6M&fWC&Vop;*u+U@B)FC`zO2=9=wm$1sFNR-|@4~0YC3g_|rZ3JF@?u20{Y)e`?^7
zz>*dJ4}Osr9WI&IXV4X5Wt=7npZf(Pdl4J%eGsqXsHO;tvw>QQ5KJwi-Xb=B;Q#30
zWy{r|2>CL2sv=5S2dv$cy$<VPGBvJavsv=iVzw|a2F}d7w)0(}Exc}4PA;dMVrFL1
zw6B=`!q!u52|Ri3*7az<l%m%o4ho{?Z`o`b{xtK!)~)(ZKAD~y!F(zEX@ukXWPchB
z!kleSLy-fzL5M#h0Bm#TFCcp<o9tVUBBK3;SF~b2iXkW-(252TE}&TGXx%o+udEkE
zJ&MU%u^Gik6um`pU|ET$_h>_jB%755;hW0`({meGq^}W(aMcgEsA&TmIclY_c@ukF
z(_fK%6|0XLf@cUXjt$_tJV*66BOZPBn5X3iIP!Sms8tJte={o?AF9^(o|Gge8{N%Q
z_tmIVyHkDU!i%1|DWJ{p$Axa;apA;GtO&`jZ${Xjy+I_yP)UCpD*2B?{q@8DXQ-vx
zP=DQnp^SeTO00xpC`(0z(rxwOuaq+>sA!}VUl`-{$~|^D!cOC!Wz(?H&3Tqh#m2Sz
zSuFX8kFoa{ghc6#Gm;;gL|V6xEJ!?4+Defdp*feSU?Z@PQT;~t6Ki!={{yi#cDO0!
z2pc*mY!hO(Z1G5<6Pp-Pi&V9l{S=UwuvqFWoH-vdTQ<sB=@5JQi4?m98WK%uTd>p5
z6+4F@e~g%ok$n@-*cvH*EBhPI4y3xR=yi)TnxM0+h4Lzy5>S@7gUMR7k(Er=ZESdO
zD<qf!m#PLKSeTG3&kCUWZ7>T2aNF3kqe{%m%!yjUTO>7Ro-->yOfP;<RZx>*hvaWo
zj2~0^^K8PnlhA@Rvohxr!0K)U<#bf9*Ocb_(<o=44w`FRNf(}n#WXn$+rbc$1({XI
z8DMi(wSzs32&Q)jTf)wh<pof3oXTGS(4V?RDS-4Zva`vH6V6Hovy!p``LY5n?R0)O
z2Cz<>C>hPlv@58aSNsq%fE|cg#j%0l@~+Pc5+4xtrg3DfW>E_+ioF1;8PuW7tlYUA
z&vKzw0*>;cb!+VvTIMTZ!@3vjm4+83y;e8vfCs)3I8}g0YUOD=si~UHwk?9RR)~DT
z+M3r3tWSvbGWo-zWT{<Ds#!5y#}@yDr>k+Gyc)3cYvtksPdA|&SDh<SS7TNZ4uKOt
z!NCn~*3NXGpV<ucwS}E)@SboU?{y-<hrlJ_l!h?#AfnBBuy40Migi`p3_rS;s&_&)
zR#DeZ$Ulz!Ut$l=DTPf{3;PhE38>$T)nB9;{WZH-egVCwi2bfvNt~y;;1`q=X65T}
z2u(OF6I=>pYuH2eFR{D%6TQ^?5}O&&Yp}4)!c(sWncd%>qtus?G1^H-US=b0tDp%R
zta(EV3cnWQpF4_9tY&3uu)R&3Pf2#6IiUW8iDggMwCHvQX;(svOq!UcPF!~fW=PFD
zPC38sA<V=MDOKYf{a{wb?27H2S-E4w&DmAU{q9(8c3<8|xixUYA5&=!8y+hBLdV)s
z&lVV(C0R6^rWeb{^exm}gSY~V1s=0}JqwW7PIduPXIuJZfi}o=W_JJbou@ts^%p<@
z_tdRK=B9j8gj5EcLbC3{xCg0n7n?e9J!+aa9g<25V?GV?U<CIW<uXR``F)h61zTT1
z;{*zO1zVeml=KQ)G7oFp^yA{xXDw2)Lab&bX&m}JB61OCW%6QZT)if?_)QQsG;Z=7
z!1ih4iZ9fr;fye3Xk7d#>VAa{p0X4ujR4gGB+#4iUWfPT9;rtBLBB9#a3aB!^eXi0
z6qUTnUJgE1bcbCkiosD!%>1p^<)NRO-DfszE=S&|774>Ns;*U2gQneVYVatbd?M_$
zE`_$LOVGSIRI!^q#B+Pe-VZD1tu5S-#>Mbk$@m((C8E~);>ZHCyW^C4?z0Ztf|s#9
z_*#-RwSB~&a$kdzTd4dsxSUdIe@%5N{;y*zkDgy=f8~GaA-RqvP7H?yAdM@uf824f
z83ePI&B_FC59}adA%OXqmGPI%?jILXUL6}cY7;<eq8{L*!otwJ5HOvfe_Dr7pz$yY
zj1VlW8T+7dF{svSQT6!6TlcUD6NL}JhAQ?vYN9<gp@|2?SW{!{XY2;pKfhu7u)qMa
z>|uigMG8`<Iycp_=T4#0J=m|z^`(7#*s^f-6vM2Hy^dakL^y=8$7v*vJx_)=FiEG$
z{syLDF}1#dyh}6Xy@^#Vn_Aw4wDc5GkCmi_D(cy5BbN49tAwaeoiBFVeXz)jGZnE4
zn*;$SHfJ$e_OhwAqs0)DHc0epuoZ^E!A8s;4{Rx5dcd%F#B3|IiaOT@z#;)d)DyEF
z@6p(LPscM>5DwT%vodKt#1IED$iIu>_T|8d2Tn-hIdzOV_O*A}4M5%jwM<g|rCl<L
z{ff5o-yg0$XA4*Vdjz1)d7L*?#-b_R1ISptg#hldrgP4>Smg9-!8XS8*PLMVN-Tux
z9GjJ>QGk2YC3=xIeNlmcdDJC(7KJph38BFN>CMXMkD+NQyP9T2xyaH0k9Z2z;C!^u
zs1Q#TcG7XDz<KN+6(C+HV;u0pG|r=TpbQ0yy9CA!w$a!W3dTKqDHBUysWCq5AQ(^j
zW9Tzp1ax^O#xt@h?M>{2mz0Zu^&Y;&NV+Z-=d9TW4Z*>{<^4!-Ra5lah*wQye;ccG
zr?c~I<T{YCh;BqOC7040*|LBLbQq@%IKPgLHA0d{sJjt4uqtXjz!GisGh_*_@_4AG
zMm$c)c3Ox<f`8Y6D_L_?5i#rB_8@V_WmbltUiX3~Pi@(Z2=Ks<u6s|_F@JFYZdUYH
z*4<&(Yiq*r-Nko!1g(bk`cv!9AX9kwwg%DRM$Ce$V4A4)2dVlUHrTdHljQKlLb{%+
zO=1geR<2J0Ot0y&z7Tj&wc!F5>A_o`gfPmo#3FEg0gv|J&NEo_fc0DfEY<@P`kjO_
z9D;r#-i=tczcaiz8i@l{ANAo-{E67-hhjxICieRx6NvW~v-|XU%6yj%wVlT6(LT$K
z3AVwt{-friE~`(SIFlRbshbG<I#m3SJ*}@+C1y#b!erovc3>?{*A|B8)6l4l!f)1S
z8uiy3QAFxu+maz7w?2Khx-wxyB!YVFP;vAu(lx;sgePP%)zO*Qy<K8#1Yof7pH^#h
zgzsNB%x-}U)RZgu7w#`foBLs>iiaWlkGzLj3Ev2~QJeQ+hdi*=fTd`2K5UN%wiGav
zxblF$wyiyE6Z0HC55QDSro-05Shs;`ufDMqJY*phEeCjMno<p0ESR5`ESyTz9ta>;
z<WxjZVtpJDC+bYhJWhKitzJ9JQDBn~Yy7Lh%&1_ML7NhG5}l@NYvnMZ5g8hH;VyW|
zJWUE=djZeXxC=k;f$adyqHz~47NdN#61D-bY>m5cVgFz*Y!zTR8gt>hHLVZJ0xVbH
z*}(mlwTFci!sY^)=RqujliBj$QWzsdny*P9e6hGxgtB^Mi+<+9aab{^9q+=~l%UT`
zc$NWP3Yc)=<$#?=W=QARL(#%F*<iltg62*ZRjKZT+TTOMyPL}2hvTr*iTBxz;ME3;
zq7)TLL2w+#LVFQ5VyW>I-Hb*0G}Sk=V((}~5kZcQL$}dAhj8B6MkR-kzRxutM9Lm(
zjJ0MgmZp}Sq9628Z(?^_spk-aw%ru}Pq?j7l=Dv<DjEW*<)3gz>2&#@>`UQ}4r8H9
zafTgXcQQWPpDah&SlhA0NSLtu=r&j!RyjEq?kNbaDH`(dxTfGe(3n_FRzX>CO~M)b
zXp<Pc$pfDQ*CduFk827R%b~%n1Wha+rkcJ^Q`_JyxFw@DPeH-O@7Zu3FBWWde;hmu
zzK6kgM8I8{0Qam6!6IZxH7kRJ&8X>ovl1+BD#6cO6MjaoO?I$1@X~;H5U@zC&!9_5
zH~rML4*`$XaDz^%e#)j?+Yex@2Y3{YA|2&8ErJNzj}9}?;R?V!NzNb$UJAv)BJeSI
z+HKSbzqTB(Bo9nzn9<YE3iOkSentV7;vsAi2y3-jmP|%;aBU(gOrD0xK(-_nNl>+c
zg1b~tgBYmZbP$*gb-o!OX<jTM9Nr~Iv%T=e!id+7MrbeAMQq4Kzb0lptvx5jsGBv-
zi3Kvv^$j`dNQ5}upRK0K57-3Tf^~P;^D%Z>A{>KeYlDhVPS<RD&?<OM)j5F17{D_$
zbr_^N6TpH2%hYUo5F!<^+Zo6JvuJ8CXo{u+ffoVG*7zF~0h5{n-elWo8y0oXUKUG6
zDD=+`#2ii6242?~4Vw!_OSIG(ycPBVLfR%a<74ePF;v|nq~Q1g-dbye^Kx~?30#H#
zay7;V?#6qb#@N6eP`y%{2T8coe2ue#p51-mbifKU&IYaoXJuw3P)NY4aW-(Vhch7o
zyT;i-AptmyKp}w=58f2OD$I&bNTAe%7Xb$&Ht{2Ef&)Vdx0u+(jb>$NgeI2Xr6R%|
zEXZOzUx^*lNc9e!YD6I?(P5b;slek7o9fxhJ>^5dufo99n2ta^vHJ;Jif0|*wRm^o
zy&lg1T$N%v;h#<H&U|Y95SuULB|d}$X?7<4i{X}6oiqI-_8G@v48V8uyUPjiI7i;I
zGS&VY2qtIqzs135r8BP;S1=GhMSqH@h)Jr4^h*(`J}f!6oFdB!Wd1~|4~B5d4y`Cs
zeL57gL~)Ye%wCic9p5s_Qx?g-5VPX<9i^RQlOy1v{lg(Rb%P*eV`9U@#pX&Ctb6|<
zs@lkh)8Ug$?;UA&9}c9hlL+aKQR?SxWZ*dwznK-UU2vyx$5XKV`kW09$iW?eQKA#G
z`=4{E4w$TtT0h67ix8aY`-t6`Ns8EpkbAWe$Ejxbq3=ld1z0~$(O<BU3(mn-BgM(H
zutPC~m?RU6Q?r0(rJzuqM0evN2tWG9E)YB}Mmbh&gAF_36ELZcBFW^4kl+FR_ER-R
z@ZN#J)>G3LZ0PhtNCNSc|0!{Bsp(O`Vlk3x{UQ^h<|E_gX-x89;HMb2i|wA*913b<
zQ4>WNXhIjO1VI{l#Df3MDf(W5eC#GRxmVngix}B~vz{|XShj1T#))&Bt++=@K6oRM
zGWiJAx3QVwVYr!gTtj*L<3FKflkOBtT-sFZw(CJgDwG#m!9}tMo?JSBr*Ozn4R#Ul
zaK^VJ!|XF5pMj85yxOhe^C4gs!2E;+08cV2KKt>^hEnv`q~be~>QAwe!A0ms#6M6k
zRtS!e-<?!0P9cZVtz)@2wRW+7LuO!U@yo(yBo~&~|94+BU=~IHhb6`=_+3=PMK(9@
zkNb@No^0;K3sm+W78RapR(ucscW(hZ&F=TFQ|o`&<Z+AOQS()2>{bFmUWgX`NXZ(^
zeH~;M01jbF<0$S+gzv$s|8l!OE`}dOmA2%$6_>U&_N)g?TkhP-cW7Q}cDr{17OM)x
zt(*i585;LStli~+$Ej}3tsGQ+q1!Edq_*n0mEGtQ6Vf9VDs9zs+mtN;#sL@(ptkI}
zm7;ZL>=h_$i@aM|srpa1Tlh$A>2oWK@orN6pj(*-A}T?IFJP%E&u(Qp`kjDP@hD(v
zsxNjcF@Pa9xF#aVbQNZEE5gZUs1Dby_!hbCRcdC(?K%i}rpBfF5*qrVp;(VCT4(Ol
z8d0t-fN9H*+x;O3sW!V^MS$gKl5p?WgzpmTf3626B$y}0w1Mg^ny6fJ0nGOdC^}G=
zBGd~JYAb`=y&N-K<LOXH%&u|kp67uH36yvS(Q;1i-YbA<tAmiBMVe|>t_lg1fsuJ|
zOzvO+p{rMS09fwfj^VvRlZxw#CXwDffK_S)y3XOfN{vk1u9JAL_Pl>c6{oS2*@Pvq
zR_m&F7OHDCI$f(_V|6z+2cjzz8{^3U^gDpMdf1<@NbG7hDGNK@2iO2{yHXumk;h?|
z+6b5=%CMUz+bFSvk%On}k?l}@9^HM01>3HmvKe;AJq=glT@v{|PdQ8N1dV?`UiK2J
z+mWPdX@<bD?5glX#|dDdPUEk4H)a@q&fBG~4C>-G<TTpkiCvv~Orxy>s}r*NNgXCO
zE|WUXAcxkZ1@+T%Zysm`(eQt>{{5zfAyoIF*ni`wqT?)!iokx=CGOzj+B{Y>w|f?L
z2x0^s%18_UHie=)u!d$+eg~WBc=4NHYUyADxS@yIJCKZ8K!$TjR3Q~}4jHO?(tm|)
zgoX0HLKuIAD!;<%KqvKl#U><A!5n!^`|5Y=5T1k0Fm;i4_k?P5clG!>kwrputf@ke
z@Tu`AV*$K&g>t@T!)+&3ROPqj0DHW`wL`_8&APfhbHm^)!X^JERKep7t_f{3c<MJL
zZ@#fr`z-?SBz1<|s=XOKI4eBk2+j03foqElFWTS*Fb$w*t~SW8LN&E`*L_V)U7DwU
zT=6g@vBVD9edQc@7rO?{3%IWZ!Xu7?kVQs-iB%ASFG5*l0VI!&t;DsRHhgcS2<<X7
z0<WG*wr!RoQPGYHApwuaxOxch7H#0G`ysS6qzim7u)xXo2v<nJ<0Y<c(wxARIe_JA
z!oDh&<#e=}0$83lF;|yswtC$KnCdLxL9Q<Fa3y@c8mR-8EcSNDs|e$?dZ-<@?hbo~
z=I}2IDXC`$zztTFTe-d)uo4e0!*0M|4S3y`_XA$45q;%5NXCU_C=-jC7o=lTPm8eJ
zp7V4fVnGY2UJWzNM#C~qd{=NtjqSxUT#{BV^I&k*dPZynel9w_XnhiqgF2O$X91Rn
zw&kK9Fp;HZ>6apxATCzBd&NqWk2VLaPY%->nb@FhYGMWEt%m9v;uO+<!y0TGG++Ho
zGWx94q<eW4bksB6FEM~uX%fD?7!nqX#3jJ0HDO$yqY3yI23U<Ih|5zn0jnFrS`S`?
zM*q*JfLG_i3$V?+M`Vev?F6u1L;OYCez<=Yet4gT_{({`H)_KAMRd^QdH)zY{W1g@
zt=djMvWBX^MJ!z=Jj%T|2}ROzVMLeE6OY#rdUhUxXABfrI~;fae3DALfNiBVU?UwF
z_Z_ZDm(sECP>Lh{_c&1uBg^-QPg|(ud-#fTRQEl5oFzHKen3(i{;To=8y>SubAuNb
zV*>P`5kvjB3GeU+7w6z9w)}8fKNeEQ1ti?ERCbkL1?xeYY<`@JNJF@k5KR<6iiH}!
z;nzaI!aO))KJ=dYaC94Qc3(J&b_T#BJ#f!C!>_`pXo*Aj#Y?~iNf(47!x!E41C-?=
zvVK=DL1UA|1_&CfDXjZfkK_8)8;y*>TY;zW32|zU*nM#q$|khEPR$o_aIs2@YHtxM
zMA{!hHTUJkm>wiihGlR45i?^a{g04!9OeCpGwpUd@+16m8R>sQ24^*8|Ae^yB#a^G
zM&8+Wuz$YL0TT<^J3bu#Mr<$L-><~@A%;pJ;~#e6@a+J22>T-sJv)qVNj1RJqy99t
z|Abo`3(W4?>sz}a{V8}m<w<F(=?xR}U8Ua2#uZl8NJOs7{WI>T*ke7!=*0w^*x>6L
zLB6y88~@TdoXEM*CJyUo{~3DqKsa7}`^oISbQEyI+Ha8Ev=76MMdfO+I4Dd4vai~i
zI9PFC+Ch!o>;=DWm*bp-@~hj(a)}L%ITe8~2Ow)JKr8#4>6y@6{=IqkUaGkSEnP(|
zXcfLf%!%r%)y}(xe@KVupo-ruBKc?BMeL^BpV7ddDt?Bp<BI>!*jehS<QGlXf5BF+
zoOG9wYwK{d9~weuF0+*^gVL^G>Mud{JdV9{SJ5yvuO3wBHM3w7lQPZj^T(m_=c)V(
z_H7ANdj&nNr&cs%%jp6h6X&j5Yge5<n2^@J05`Z4Zm{HKFnM7j1eUw@mDjZ$o*EGi
z3?;)=cJJcz#lzH%ONi!uI*(3Il!ONgONfcn3)j49hRC;c?t!b;PE_4rXBB}Y;OGT;
zsM`d^-i4F&3`mEGlbynp`GEi6qRy*q<h;3{$bYRj4$?(fr0U%dxYlI1irHF=w1)>a
zN>F}-Y7b1Pjs1_5>#kGAH6$p-q7$i6{q+IOHiF8v(~^-H!fz#!PY>kd<BaTKUW~~U
zeH|09p31Jn1JzUgb%ac*)NviwG;Zs!5NIkz{|e=9$GP|-O8pg4jGgL!RsCP@uMFRf
z6H%1-J|?aN`j`fI&!V*7SYl`$z`CM`?Ea!^(@d{Aty;cBarYtMYWa-~3dm5^49(2$
z=T_5&-!Qa=!g|?A@5^TQKfa@sUJO%36}{}q(CA{MHpO>UL>pWV6vzEK6T3B&^e(jP
zpfnePuXfVM@US3*#cN+V?zkkL2`|vjT{kYJV*&ve{@vmhYAl5*%n?|qx)Zy0=g}nn
zic7o-a<Tc&UWMJtaOcUN@yQU9k?~KUlRD0C=OI0W@8=BTr7p_hd@P2p;6N&%W1Kr!
z4`q7s23)Gu$^0;bqd(!zpY+A~f}plvET#416Oa|g5%GLhLMOx{iK6?XpFNb`U#%<Y
z&!^(}s;NI;%YO-WCi!q2T%n0C9~-V-5ihrSRY3$nur=6O$;ap%`(R#6$9(y#xFe9~
z$3L=#L15w-FcKOOZFaW?!jz&l5B~3?fQz6r*6jY|x(BuwFtIws0d`*G<)CEoNM!mT
z6`_VJCaL$3+1+*y&M*YdP=p|=LpS`dESuf!htOWE5?C=lfde0pUA(*Px*DttUnE^T
zr8*JZX}%e(yFXtA(yL8ODx>m;xjw{taBP7#Z?~4B`!EcR+pj<FAiX~qj-=Eda_S^q
z0Dq8f4d9i5+U-Dh;eJ)VlKTiX20&WNsW*T}VfrEm@I<k^4&WnkyRBpZe-aCE&j9{d
zI4eq$BB#VC3J!<;H{l)2c8+FWYtEDXR{l8hMcudZHEbT`>M$>@l;+1mZ$*+t++z}2
zm3YRljgIK}55D`Mm?38O>OIsL$Y($mdIB--M2a5>dcDaqkl(?5dZ~IK9~?6aF{?kA
zixtd?>$ZuKVDejhU2gB^#kem#?VK=(g1OXz)`6FRE~Y>d@&MXSXV@T)4Bm$nAH-h=
zHyuIHmJ(-3FyAhMg?+by|2pcqjhh1xpluM^sfjg{^!0K|AIzT$oCvV)ckox|sC_W7
zPkIRRV1Koq3?U$3n@YgVPQIE$`5{~h?a*SRYej#oJ~xrdLitayaO)8M7!Hy(X4O8Y
zfs1L)g4weNw+`hqRr*B6)HCAQ<<9h>m}gc&O<~*?cnFRA(0O_#rH1ooa6)?`oKFp1
zWVdnX+6pZ-=3XK0#p$3d85B8;k4?r_@$|>gK5;cD1gZ%Y&5IF+q6QPvkK!BJI<q@>
zzwjsJ=*nYIK8YQ|wLk81mJfqfCnprm;J7Ww#7!T`zFd;=o#yizOr=|gZ>;zfZ$L)Q
zeJS7uFG41XRZ1^#4>)B#AItI8)VL9tuV!i=!JqQgLMi3jL)5&OhtkI-+&>EACZ6d@
zpJ8E=z0j))SNbH|1~nrGI+q;<?Rt~cb%bh1!p&4uQY8NX?ou9w`7S5ZC@5^bvvCv@
zZpvl&UTM=vFX4k_JnPj!&z-G)Z>x{<fSN56Ni_6(K9fSCz%Q;oMZrk))Evd{h0g1u
z`I1q&9#^8>C~&`Z3i8y!)WP#x!ude#Uw2Y>6dxWKjd(zKogmz@LicZNQB%GHf9~|a
zLjZ@*+P{H1#_$;0<6`}7n#KQIZFcWl<O!sakKK>7k9)3XWD)T~3VU&3&b<NeLFI**
z4K@1RABra&+`D4479z42D8sSsRljQrd|#A>V?&>N_uH{5i0uOmEvWbq@O`}K-55UB
z?@|xYpighlq3#$y*|!Nr1BwA!5$mmRX#0<A#S|2cC~nb;g5wkv7YVMWPH8DGk_5<P
zb|2VsGuJ5ndll{_`TQ|}bp~qkKNm}>V<GrRXY*K&Z&jWmc|4!&T?YyhC}}(&>Wf?v
z2Md`WlVv<CzK|-%^Tg0(?9sx@;eBv@4Vk2#Ls}eP7eg1u!{>REZUP^Q?>EIx;88J$
zfUpA-A@ZsWjda?^t6>#jIe<x?@=~XD0)LF#R)L2+gtFuC%*RFhNV9u)7TyuY)C#Fv
z0fXds&&9hP?~wZLWR(EripV6E02Zfh`gV)_7YM{Qyh@7qz=F}P6lKVHx0t0egq~s<
zDF+O~zQ6X0x;80SrT|!hL6JG%dtC(LeNM%3J!AiA)K{Vrrlj_e#>88@uzpq9mWk7F
zCaISSanNj%PHv&5Nl^4G>YfAvO{bvAFqvMbaWWsov2#F(bPxZgL%UFNVhUWXZzXz%
zF7KX2aZ{lgnJD@TinXFhd_y&BF)!k<qq7s`Ae1+G%C#tCZKz!!u96|o)Sr~8+z&~K
zFxxTyiqH<Rp1=mu6VG(!nBBVyf46~G#vwoNjqSV`BvO1Y+3bEflu`_!Jc)7)e5q{?
zZm~-J>J~oG?~WxV$!D9dR>n09zG<cuJIx~5H;t5167*5JL^~p}ky28Eo=bN?D7b+Z
zKdqWeiA?eVJRiQ9p-n;249T$Y<&5Z}hw*ib<wJrN?w0RJ@RM#U)X$C;W8v$Ha>9dB
zNTL4z*mwb05QDEiY>@269Z)IDLKO)F*wI1ULT7aR!dK-x3jN**D({lQ7DVZ9r|bm&
zSKHYu35k;4YMHCyCn9dOYwsW+PTW%v0~N-+69l&l37<U*{OCUTvHu_b+V6n>6fR@A
z&u#&JTp#@SKKOD1&6~ytXCzm-tCl<<`C~|VyGNEFogu)FhRmVeuLT;mK@K=cLKzxf
zy-Pcb`E@nQaj1i8RO8-_$oc%b6xN((l8)z7^ECKRoR1_T5I9Y#iBP%SWKZOe+D@NK
zkg%KRkaR*Th1qE)bN!(DMVj}pr|$esyUpM}y+1)>Ubd)@3jTz<N#JO4{^?CB&g{?r
zjI(0G4n*aD>~AS14jsPw!=I6pMTdqg;bKlFqeBh?S>HiLr~+pb3XiNuC@FH0{)viq
zd(iBD0T)(!_E2*YpD=13URNW$N>X<P?<p;|?IGg3i$_Y)eL@zu;0v{p6f~VXeRpcv
z=4;#N#B_c)zuHUsJNRH<@l|}0xWWDBJNRSxGHcx(d_qD+p}|~WJvq6+x^HZO^=e{)
zw)5S!6e&e<?@&GI@ti1Q3EwR)Bw$f7yC`S|pI|#x3>U7s$L+gOrH3~<3Qj!fknLNL
zi1&t9j8pFxC|A^P_nO_?3xRhLczV<sFy}_x-GzE>--CBJ{pXkBDK44A$hU99dn#b_
z@Js^?(%i0o6({lB?F_k=D+@dX#F*VR>p`<@XqODo0Z(eAb~zfRqoF==r%<fzbEtO)
z9QXzbG4e@#=Os!tLX$GdZbYPCPtnQPKje}%nLq1&%p|?JQaBm?od{P;DeX>Zph0B4
z@8hSs=<=PMaErBUCVyl=TNgaOC#_9$#EvYI^eKE0tEKo9#1q+6kb*c?PmL*jc6fX7
zcam(kNj|@C*X~MCjlg}^L<*b5XGGY|?y7C-T)OErzOQybd_^4*l_xDd>o{3wff|2m
znZ=(&(3*J{-^@>TQ}<omhR`T)Hh(do%?`~nyo!S=cl93Xewu|i<MC4z%=d_8iLTu2
zPX3robNIL3C-53d@ppsHGAg*6zr~MtIAhHyvT|o$D#x*QBc<HS|HWH+oVql=5Whp<
z%$djWHOO4&vHKt!d=0B-KIFHDs?*^~57CiyzJy86=mq>qFEp;oK-h1jkVS|#>#2GX
zN^unS0D5R8>jP+*<cxd})4*hBMkXJ~`1@UyyO`TT^Pq{k;$Cc0UsN}#_-P*>xQuau
zBtOKz#hP>BA#6)hDCl8~*G>fwgJ^8@9_C-*G`qsWe*n;)#f!1klpo>Gg&)JR(5c>L
zRes$oM4J49bOLbzmVxM{RR0Jfz>`$41Pv_C-X&rIOTiaC`JFuSy7<E2P<s4P9;x;c
zsr7R8MlYo>fF`p$61_YM_97^D84L}%#%16#hkBNAMLcpaLIpK12c2`Y9*6&h>sbgH
z{{ot)P{?E0+3fA5jK}zFw61;(Iu=caTt36Q-6RcPvAO&<+MLVBv188WT>ccp#R9`$
z`2(ESbvrBa&;>T)mM8gbwC)MM3S0f2ClLP|1n3!TV!ED0L}Z}Md{B7A*_JP6$K*^c
z;M=`0FI{V(J8_g_#SEWtHe1DnR68#h^5Klxok2D+;jxr&$2L5j3`OV>U#~3Uv&YS{
z+hmKlrwAwCB6NE145<~8g}wR4*lj*)iosKcqOC*!KF+drd>G@~E;#Fog$C`T_7a#z
zjOa%A{!P=Rmc7%ZR{Z=z%EGTrm~`)xWL(dm#df7-J$Eu4l|0SAWbsbRGrT_&beDpw
zI%j7okMat@bl~fU@8WKl%k83&GCpmH`?`pju$~|~xAg%2owmj(-C8<lQzn&_sW#P)
zM?e!STEv|GX7@b-_$?vI*vJP5Sj{fiPO)~G-Dv@2-H17ssB0tEq$3ph53U3pL4e^g
z-23ol_UGVh7^OZ3E!|1^&%svbIOTGU;rLAuVH`DW!W>sp`ey!kL}W28uw&`G@q1ih
z@DjM1@cD<TcX0JAr_Rmr4#z-~=L*5y!6s?ZC69LqQo}n}k1wS-Fk8E+#({z7P>X~A
z!ZtdaEBJ$qouII-*zg#g^;^Y^E+t(hH$y2iE1?`=)LO}353s^@7~wiBX7|0xA_k8Y
zUpR^sfmPy}l00YgHlZ8_y8JwJZ(S#)ZRgi8r=}_~6-Oy;2QoHBr~Cq}6658(2xTs#
z`WN}V-UhSlhdIKjhE!vHD!f41)gY?W*<8&X99^Wp%<&USxPSZ#e^Xe>EBqDyw+oc>
zDke9ZI$wnZ+bO@67kg)zB=4o7C*5xTD9`Vtg5CUk{$!^!`!)C=*njEk{ByqY0$J)H
z;B;qC9h3*Dr;<0|7Q%4f9X(b%FT5#c$m;ajE4KSS&YHLQlN^bTkp1W+kdpRe(-3BM
zoy6?z=Z^>Ar?YP8)k%C&Vm~AYq_+|A#tZG4P0HKc2N@NpkoF!>@w*;HPW0%}t-(Ip
z9&K5=+4b2`O`k?jqzos2%(o3nhYjG&oz%S%hWwS2hqJ1!jeG?E^b$ojf(e=G8zGkC
zS198EcByme*a4VS3F+VA@3R%u@ecA_pIju%yV%yq&dPUrKQ<t%7qP~5ZAFR1iAWP4
zny_9N1i;v`2GpCRd$UE90B_i6cKv&z`h^T}e5hPmfo7|P2I9B3f>1a2?SqggE{}-=
zVpq!^dsaY>x|F@=jz)P0)xXDQkE*pVQ8y@8L?~!qF6(cucCMBLRj*wwSnb}2F=SBc
z`<Rqmr=b~|;;lEk^{c4l5TCGMlSvwj?|o`N!i4otr;Yhx5wc6o8mS*n7o>{)t6Aw@
zt<ixa8I`sV7l{m%Ns8M9{Bq14==(5$eEtbF@}bIq@)zNh4Tt$U{y>Mb=`iPvFY2V`
zBQVT#v8IMn)=~a+z!8{3wq_0^PEyAgh#WH7#m)xb?fhTNcbVAMPomfUmyZgF|9!rL
zmJ4_N^Z)X&0ShmKfH~Sk4_QfJA3*%DTzqQ~SG!G8|5f;bHIZ2f(=7P#brIHp_ldZ9
z7H5)Dx-eBf;`X80b$A!$eE>hTk(xgM8;z8946~u9u48cD)f&}BAM#B+y@!JS#UJx7
zHM<8xod4pJLpPeF5zAF^V%Xos*<47i|AHN0J^dH|D}VnIWqt(R$)}2sU=?i?*8-nl
zfDj_JaAN2=5#q#B^-1nKXo(~zp1DtFcD*-B6Z(7M6!$To;N4<&9sEu#av@~>7!r*q
z`QQ9&Om^45VK&JW{|Q#X9aQiM|G*bVkVs>=-a$yx%9jL}Ac?5gbmW~aTCeYb-&SZx
zJoy}l`>Lm^;~+7aP8<gidh{tD>np3dX;&jW(5LV!)l~N>7BBd}PvMWYko_~*G@RmR
z7(SD_KSM+YQcq|u`UE^$tJ8i$_~t6AKgpHwN>HJBVAsA)paul)+n`aiuZUVc=VOD@
zfFiQ!GOFfys*=h73%FgKrXUZ$&HMA&&3!IQ2*`lhdB5w4*HWQVld%>AwIQ~=tAldd
zcw#^`axI56mGQx4=r+)aQQN=+JWm^cg75v#nSDyoTTd1Lfk(vUqh9<F(k7_lJzw%H
zEGqS1@~6Th`z$DtDy_<|3p85a#7fc5XGb7%@m{X(5!})qlcd|=Sx|Ip0@wA%PO1YM
zqMFO?@IS}Mei{l94TXr+6vA&4<voa>;+cDful24syXt09>lq{s=ZWMW)I6zZy2z-&
zbuKZ*p_-}pt6x&uG40Tt*Drxhq5j%QsjDtjjp|)>@U3V0J;P>PfS98-F~2Ty!<dQJ
z_h>A<zKd$lV*Rb8&a)5=jJpHE$Gmp%V*HMb)~}WxbiKBLj&wjVaK>>CxW_5w93Rbh
zpQGG!d}!cC53=^%9@p;uRCx|e*HXthYzj;i{}uo1fTWJ!SAbdsdtV{#x=8p@EwG5m
zFuQ8!ko+}tGtHUwwOG`eovr7^ES0|fEg$KH$TISKvDV<Xynf)H@=0CV<@h5Pc%pZi
z*>x$I<clzjBr;vZg1m^DF7k!mxn|eTb1CFUsPif^{0Ie>sN_c;6|e}u;)LS_A;s?F
z)c7M>mQe4HSdg+P`X`ivC|5jMss1Mb_fT3lA56de#N!}^$ZmiV1n4e4zKbeF@hE<-
zZ!mq?&6BVX3b_QyPNDQm@Hg!^r$lKtbzFksSV;dfu%}b%&wSaamSV)|wx*u(m}gnr
zrAq#G;gVe!Piro%auv1x3_>a>>=(qONjR?rdvmGh7c5$mv+=SB2V**%ZC4PL_?BQ1
zgiX;DGG5~&ebZ5d>my&vy@uJ1b5>mA*SrFf5Nx@`Pt%xP&mn*J8~pOfUL1wNKje|6
z7jE$c_4Fc4&UWUx_}{(wu&(_VyuS5;@J{%8Jq5p=>gQ$lO@-ze&8~k;r)od14_KZv
z=N2!Wx3f~`b!<i8-K%o-lcwq?#Z8LS#~G$gjCZbF>osXGy|KkB)$ec1pU7YS__#-M
zA9G&c;`Pp>zLAnNCs%Q;Y1-=Y8tGkuw>G>D_cZ|Cgwkakt9ji%WKNIbvL2Hp$p?Sp
z6D>)1`vZoM-{lqMZBSf=vDAV-Vk~$~1xBirJV2Kcm~4BIrS?lsK082dr?o5rPCj*g
z<~1_Fh>q$}tU^kpgPME2MhwgMJA3AI`<MSY)%L~bC;KJeqBax*URGQ-{BE1uYb;!S
zp4;m|SayrsYbuiJt&LtI`kC7m*VA3vd#bFsp3zad;uVGH%!-FC7aaw8sL+AH9AF5T
ze;=3?uxylX@G0=h0m}eP?t@nYm<i>uKCni>(ohcR18V^+9pxlR8li$khaCV~HJ}Q^
zB&343XK=kFMjp{`ZW!L1NUsy`DR^)7yknxC>GZr~s-EfbyknwD{XOrUc-K?;Nz5Tc
zb`R#LG>I~qJQfLo?lE#O;oJ4MA>h05KEM|&+yfRj7^#EF!|@ART#kZGMspM@andP|
z#HKQr%VWLsK&_RIf9DlS`#E}Pq!v-Dr*1A!KuPa~mR2%($&>N0dSTEO@fa!8DXm0t
z{UeM{c*%+4AXP>sE}hGAly{RPdBsxs4_@QQ(&Q!6Hd!7GRd1H%$=((Wd5kQ_y@Dyg
zTfWV^2e|bDcOotF23jiFz2yg4{?;}Sl@K8h@Wo8s2Z2<zl7Bz>!Qg6iaAV>i=lQXU
zYiBuG`^iz$8&QSnP(OIihd%7whf<%ppAUW5Sqs<=y@>@LgtZe+wx2v9_!z4C_I^Tf
zz0^qM;j$|I`MoH1QfhyB41Zaog8pDVmiG0R=ObF{xac)vd^%L&RiO%f#!QDQyedT9
zr{e`afWd_w!L%kx(t<eAjO;%03~Vx*edNi(`G0BvW!#;uQ4)^^7-x4m#reupu|BBA
za=%e=z1B+QzH(GBq<T}6qb2EnaQ(VOExwo|AJY4Q8;I`yR>f6k5XGpNoIjGh5NcMJ
z*@uESNm{4}EEPx5P=<1<@sr2g_J-i-2B!iAO1!6sIt5A_h1`OPJfRVnk*c`f>eXbF
zk*~NKFuquq)eq(>qZBaAv?So-69!lnU^#T*7J2x*a)53OB+x;6LkVDl0PztpSV}`*
zsR<a|TthbMZ?sL3q($JZA%imgWn3Ph8h@yGIkkvKD_!=7-ZxQX02rvG4DslovH;94
zXb%7iOydNm4Aeb<8EC>UE)IZIrBa%BWKf=XV3q~|wS*c6pnWuTAAl=+@QC7iKUHfT
zElCevKrxq+ZpDmrQw|>91#p;MnlbLZRUU=}UhA#sCRO->k=|hV2=qk<2wbIrU^<SJ
ziq|NFi>OdFba5V__0+6GznyeJREAJcARcLygom#fr3#+hPOaa1g-}VLJQxdWRUr6A
zE>Ap?s5cO;TPS)U9x0SQP+kc2R(0%Q*nErC^InJd8o}N0aESV0m`ckri2BBqfXj!w
z0BfYyAbE5@OAy{KQ}!Tq8js)C#7L>sJV@oIO8}2hP!L8kYQ1NrD6Y?PRD~Imm5cZC
zKX#pE2MkOEp=A^GibojP2g_rHW<P={K9NS5!RWn&O2ngCbtp%J;pM`pJy;$aoP!Q;
ztP}>cX;ECC<Fd+auxb1_qF8>G#3`;XkiWZ49(`MzVCx2J7-9)%`r@)M;M?fTaWDVz
zOQ8F0ki$(?!~2q2!1^{!0jx=F=sy_h7b_-eFg-R{4njNw>L<rk^q~qpWEUu|FUtT6
z!JqiV0agZBIga?DT^C3fqKeQU9%W<+fdcL$dk7@iA-GVrVrjkNI_tAF6hbmmY^bWL
zsp64Cx#D5R5kEXn548xCB<cx8XL+O_0#_mk>cjUkh_<7II^OjPqP!upNHEu*f~=Nh
z0)B+*&;$y7LOf!r7Z1M-bWk8-hdU|xJ+C2ResUzmb*_fehGMZeg6bS<oh1hkx=(}&
z{gMHI?&PE^uCFAj848M0sdXsGtfX%7XeV75wC5NZ!%*@ei+H4yJq$}%KGlT5C7P%`
z4DBk(CtNlMThL=47XA{VxVq9PCmb}k36DD3?>kXl2O{GrVj9-eli~6(U-%M^<CXzN
z`goEYPNBo(A<*3TVHmravhnys#~}H!48?UZjcSKs=wtXvRy_Q-4hN4ZFgoaRm>fjL
z;V?KWWemsUg;AM!;6D3sc_yxz%X*Y5$)Ja7w2)md-;4Qe)x$kQKW}mXtylpaa$&%m
zFsx!L;2~Tgq>oTVlNJHyOjHm7$8rpa`!vULC_=ssKaMUj-3?wt>3W1b#2XF`UL^G^
zuOT#Pgd7TuNF9NW;xt2eJY8{nXQ;+_=i^qq+tH;D{=^6LJYEi%aJ_wDHGt&+)<^P>
zH>&;kj0AD{6ek|#H$$7eI8@e=eI&#dtpz`MC5pRWlIOh+?`fX*6L`<|y!Yb0K)kD}
zzA_TUGHU$IYh(l{TbYJpBdAEjpZGu<S7rlt8IxO}#VF?^<uTYS>qh;)Ts@JZxNq&%
z>?cH$p2)>FizBINlsq&B4R5l90iLKrRVQFKSdRp(9<a8pqru(<N*fJdEh+9mNxVj3
zJETHDS70<%12Q71Pmj=)C(BTU3FRG_qqJn-Wa&;?X_SXdnT6P!zu700KJl4qETG~^
z2xQO^^n=mWkLafhuoGm6l4l2_c+-RE@q5Bx?=}-vM8RUpsWD0(>(}F17h17r`PD0e
z^TkLh$wOg!vC*nVWk!Se4l0R;j;2%d+nU#3Rj#;0v(Y<<P(L7GRSjSkO><VY;Js88
zWB_<tbs5EaAXaK2;NloLm=6gNZakPa#K1YHi;y`AJHPH2$gNs&4?&nKAT^qw`CB(Y
z&14({&}GUQ1KJE!DIS&hWnBP!MI<}{{piP{)I{YMy@t;Mbp?9G9oC7VL5BJfuz0|F
zQ4$=8kARsJcX%q^p(*MI92H~&R!()I$5c8Y9tG4p7Lw?uxLA1-*ZWg;tUS}Z8ZDZs
zwb?6(nqy(;anu$Ica%oDaX>DhlyMr8NdF%28cZ*blS6E!XylJS@c{vUw=3>wJKk?-
zlz>$LCJYS9sD1>j7O(=8g8IOkJg~lPTLH@jPG49jU=|H#Q=5wpdjL%TBjOr=z)XLF
zL6XrzY5R1z29k`9`x6Y3jE407fCouN3nqSN#3rrD0}vjl4^UcD0+=4KX#9x}2wYPM
zSUleQ!s-AM1d8_JBk-C5OT&9#*a^Tg0P7>IHL#HA3^Dh8fxRBYK7&|wfC&-yg+&5p
z2TTkkJ{Z_)0IUh`H(;@Vr2^JNRTH3;Dbz9n-mR8;#G{uY<Dg0Ll!}KMju=Hh_+Xeq
zbTy`eO5^0Q;Yk49&`=|)3KaL)GT3XFx;RB#^%_dLxw1?@#mQlaKK&=c>DQw^R&)9b
zCc>_2DHmYGgf|@JS_pky4>b#D4P6kAND7$*k6@&vNhnoPj(GG^#Uzj(Pe&%n`29eC
z@|g^xEfhByP#o-`6fEQl_SKI;lI&nPKAoy2%hULj5Nex@Zkk0qb=zTYSKPM;QEa?C
znosp1`(bPam&eNk5nEg1VI_8|kH-i#s*mxF!>_>CEAFZLwoXA^FU5<8o^qz3?<9Y!
znF8~|Z!1j!F<s<;J2=;aj56w&g1~D2?Fg)_lmjqQl(ot7h#|$fihFuHP=p?d51z%a
zxasirx64z#jo6P?k`4_?KNaCk9mP+@h&_}u6@82O&!)Ieki2KAJWve)ZfG*<N}#l}
zvbP$r<b&o}6?hYIZ7d$%jhK*ht?5bwCZwH8MQthV6OT^nz$3V?E`qT2t%`dN*0}^Q
znMxT65KAW66X0-CLuj8U)=+x_0@f4?nFfK}<4@_+&>LdOY4U8ri&VN5eu%!FCWj#L
zmG(X&wP#=n^P0qa5E&A|VyAGq!+oKvrO@ely_BB_X__=m!E}~d759Ca)RKsS@C*4#
z^1a?2=(&W_?v+RQZGh!30M-qcz9R`?QWe$RD@W1UB-saRM)@a@mn%sQ<oDySY&yDW
zq15S+YAo5O%VvbFEz?1D+g7tYzTf{qJswO^-L^=0JS(G!ANRQf(m94v#7N=;y?8bS
zRTrq@4x|-I0P51Dd+rWM7cuM|5E_Dv8S>P?%c%7it?-G2cHrP(2IeSTaa;V!Is*$0
zShOJD1*kX_xw(vjfU-tZ;i7#ivL2$?iDEg$8`Vj(7}dQ|qY(mYr7i))9#3RtVv-?-
z8cIn<s$iK!dC8#0AXG3)o#Y$ZhaUe?p}3coP-ik4>q&Pff>{H_-3jqjQudty;>VQl
zL~E>XccQbu$hi0+Plyp5rwNAef$cp9U-p+~yq5|9KIr+mUd8<w+{;X;pAdmn)rH6Z
z>E%Z|X37H~q`H~%)R<$ax<L<mD#yB#+XWaDLj6Eu<xPrvg+%@-a?~v*geH~nJoWOO
zw5bV7bYF@*3Nv1SN=$5Z3W!`8L@g<hNuH*1o1k(lD?KVV3o3`x2#?BbhRUsMqx@OG
zj?`2R<8H=$JYm4y5<sh{cNW6qb~4^2-_BR*sNgPmj=#xNeV2R}FVIofT^QIvy4eVu
z+bLr<^s^1d7D64~Q2oQRq54fwt+7JGE3h=Ii6)&19oxxhf?QLmzyvAhQjH1DuY`_?
zQkPJ`5&gEbDDFa?7Rqe7jCX^!Bi$N?cMGKBqlri;%+@%-unn05YI3P|j-2S7i&{^l
z<C=qH*9nyETI4hCZj{kVs`W%dD1+7fyD@kNRo@N5nyBq=^c4r%C!<OwsM23?7agHY
zvmDhQOd=^eliat;p<)MKnTfhy0B@*8G+=p(d!2!r!9HTq3ubg%N|CAPwvJL$k-}LY
zga-cj6Q4Nz0(p|+Uhhw3sTi|FXua58Ur5CSG*R4KTw#4Cge-I6Yf5!gHCK+(ThOiy
z>Y$scriSnKJF8`Q!Q1oD>{40-`|9_66J9TnU2LnLhY4+vHKA??KO15_@9}t7<G&I8
zwu6@qxk4ZCUV?Z0T+cl!)xGy%Ta-$v_d=<wF}6p(a67^Ms?e%T7QRRLuXce_0+h>I
zur)Fb%cGHuX<)5RbudC|J5m+*MlmrN_!A!pVTVO=|09Iz1!gUEreWX{<UbFk4l>R|
z=h>7u55Ov_oQE;Qa#F6^*4cSbHUsqlioiPZKH#)ds(6%8{(Y)QYwtrHg2?;e2Js{A
z^VK@Te3X#z5#p%^LEBQPO4Qit$b2aM^C8qbAI&l-IvtN%N>4{+H(AqR3ETbg1N`z>
z`Xn9BHdTEWtL9Efe0!NFPKH$)7ob5r<%kEiT;g$=8W(_-IO;-ckP>u19$jR-9}P^D
ze?L%+R3#qy)clUu;FvH;dKoiXEkqhCW?bEyyued1@j`G=x0m;!zMSNR@)+CB5Wvtz
z{Xoz!Usl{Z^(es%)em4bK7bie5`W?&U}1n|;yq1;XfW8;&PtT~woL)79x!7cybQp^
zbVN%dHK^z?7r<^5^%_VRYYmqComlc0%A?1;B#7+WF(mhraELdELc1EQ#4lx#K0_Wk
z&yFg9)DODf1s+~1LkZp9gn@^bs!&Sn0|O5)wV^D!79Zg60uL|sXlAhsWWKDUrVLf$
zo#JtU{1;(T;>fT_e$X#flKP88it$c59w!eW=OS4T4QX2>4-alcf5MW*2kg887T#zi
z{|DsZ(=P**q*kb+e5G4)zbQEG1AA2lETs<&q`evfST5x}06MUX5|37Dd;sK>I6EJZ
zFRc3SgQ;iEwaWPO#$P}D^~ax&^IWU%0Agn9Ugq~O9%(s#&oZ;KJ;$#f<4?6y=W@T%
z;_3evJPUBpVfULvkN(9klK(w~%KqZ_G+%9{?#KON$@rMx2);UBEjY^`^ZOU$1=-Hb
z6@Gtb{O@(nw!iv4%J>?IjCtq@&zw9zY*?M;d47WeZ57Hd&%Lf(db&#aWoy22>6ujJ
z7wdnNO9*ZLudk~MY3mHbrcA3JhFXx)6^HiMI6EdxqGKtQHZ7$UDzwmCc;Q7Eg?S;X
zFhNI3*NebxNv!KhwYH%xZ9^@MU~_U2)Xt!(3q>$PI~{IN=+B1RdC$!n3h$opyt&%N
zE<PUL?|Z-Jd7t;3d?&=9_Rs>bjqPtMfFB^9!g?0*7r;Tb$3JE3dP??(G-lWuxxjY+
zaqxu@{|fB=f4&|6C5%H*7Zk_;KDwyB3RX$@cstwizu0=*#rB;tV2$WcEXw*sPU2*>
z#L41%sulUq*-F*{m)S~zUe`TcB6-v0#ki<5T`BpqrzJo5qhA`6&$E5i$JWnbF_e!=
zgYuoypgaV0gO*-OgO(l$@j8gKpY;wg@cWF+znYZ!R|%Pav&i<vFWGus+_zEftnaoq
zsw9Dm350^QgN=X?Y;>8~?^I)H5FLOJl}e|m3<V*N>Qgdb4`Ezk^1v~SP<_TRLLYk^
zBh>JxV}u$|5R6bmuVaK7T7}0G79LMKFvHY{PT@*ZJ@U0q(Az8tE$4)|Wxo)6{}y5|
z9BX24pAdU}vazLG_IaCtZ<!8^JBH~%8{3g9Oh>@01^h6e4f@Z@`k{d2AAu2kp*cv0
zAQY}Z0-VPUro(H%7*L;&B|vP5KNQkvk#r~|q(dkc_ZLM{LK?o|kWvI(n)Ava+mF&r
zMq0QpBi7uPJ1{@bG?;fzdi*eqi6s$v`d%uZc_|`Oogy+F6_HFrM5f?ai==UBv`D5`
zL`-y2i<l@*izE|bB-z7uf<@ye=;`h}3l>G5>CJGGZ5NSjj_rwBriFh*Y<^P2=KAFN
z%{2+>Tr2YS3F#WRH0dfjs$0H_E@{ryYT<kVV`w@3G9X+lm27X*EniMa#mfUiy6iJA
zeXq<?yhry%)Ct#7GZazxT{!2OuBsE8+<U=;4&Dv|&lsT})T}$pR=5)fM;&m*2wYPq
z-7$oDj5N-jDs%FhI^_akc~sT9(|DP7V+^qM<gC#gRsHygG!a#eZrm+*|G;?1)=ZE2
zI;!xs$PS}s1XbW8?h%~19Yz+g)5BJw%_-L^gdHrz+A!y5D$fD)#<5XVTUx_ZmNU9X
zRpaLYrjLf1+&#c3Mjg|K38rn$OeF(MTYqD!s$|;I%CxVE3o#$lu0^Ij!{*|sI_Ywy
zjJh$U|45gAOdb4WoC~)CY(GpQvkSO@VWIz<na&@>K(EKQGkp!!^Z1>@m@?cb?H=lR
q0P*|n#_5~t8$9lEH`QnE8@MwF;~mrN9<%b6ei#gvm@6^W=lU0a6HbHx

delta 30193
zcmaI84_s7L`agcp;bMSbgF=FW4uS%Tii$Z1>X4XYgN2ESg$0R<8*Ws%VGhn9SojS$
zY}5x=EKDpcEDUXM)56kC3kypNH&iU#Y{P>5hsMnPz0bX4Qu}%Rc)j%8^PK1Wd;Xv2
zo;%HlM>ZcGS@-%H{;bnpv*uM6P;V;!gtKJ3?)iuL+HQN}3q$Jv-}8Qq9j&i;;YG%Z
z>=EmpWC!XuuG`9(p+5FS560r`ab=UawcDPDV)+ewZQ0DgJ@yYJ$*kNQo>(R65^YMS
zi7!8B_geojU)^KRUVl%ZPO=mZE-++Dl1W;7-cTh;2Aj_Q{`zLtWH0;ss?hzSdEGQg
z8oN%Cj2}q4_$)cqy5pw;6E8H_BVPKJt$n%N>^(d_OVXLRMQ7Lldzk%i<$>NaG{~xE
zd-F>}?e*pF^XEG2^ESNU!PeS?Hceu)?Wvo_vQWEi(<+u>&wO);ebDAztkQmX^IVpK
zK11wx(+1SV(|^dupXsL9n`~gcwW5Hto%YP#QFi^-p=_buxOM)VE^GU51z5bSZiHnl
zu)Sidj@L_)^?MDzB~0>7Xu~G?!mP2y>Q3T-%S<fe*r;NOS*(K#usc0qeE_>)zqr-G
zvg}or#ol{NQrkWgOZ2qIY)hE9#kRUgr;eQcZ2?A&Gb>%e+DMNCSA8heS+WNg04D%&
z2Dqn*J;Lmj+s3kq^-bHBGPbNf?$v&bFTH9{t{NM*V2#UmSY6O7a>kmowxj4GO-^F5
znTu@bn(l4iSoID&Xiwg5XGiQU+n;62?WwPg^<U}UL^|+&P3)m5_VU-l+1mQOuSGJ?
z6q9t?X>Z%{5uba*US0i(U;OHl9R;g*yalGEowpb4obF#}o$*zH6<e@|e+KA-XY5To
zN3m1(?wyen3oR=LuS|MPs=?TInAn5MEf!Tmyz!hR2nDzgp66MfQ=j|dd6qrx_33`6
zECquL1j#YtkM`=<r?DKBfBcQpY)*aa8;>v+BUoMk(5_9)lbNLJ3+$b5uI8B?_Pn>Q
z@yELDZRNx4|F3od*qXU}x__sM&0HzuNE`F9n3vxk)+e(8%$R}pnSO_Ew>?^iw!1PD
zO>D;E7!OIp`h5j0QO~0C&sn(r&bNd73;)=ZaO~v@y*>Ty9W0~1=k2~s6TJEnby>`R
ziePf#lpAkj4!wy#e3)WKumF4Qo>9U3EUN|=jD7W%K1h0Pc@O8<JNJCTs_hN$o@0mW
zE9wU@)?lyQJD-Kw<$cr8IeFh$&>?@{`<%tq$2PpdSZRIB{(+3;+dKbBtkquip8$L1
z`^2II+3FuWaJ5e;vlNFHn3Z35TmSQ0fwlPi0&De8LewG3_a39>%WQ~!&Bu$GrT*f_
z&wKD>X#Xc;*-?AdCy}hmeiZ)~)OUXJ6~nR)A2YM`dflflF?QHq_1Obr*3ZnCE3xS<
zW>M$vX)<G(osJ>(OOE?-?{V7R6Wdk&{Kpr=y`$Zb3V~$*&leM!2^|CJbYIrjp4dE|
zCxDgB#VoJ>O7kejw%hez4rX)giC-pQcLiV0WEJ&|Up~NDOug>Zosa;Siv%{#ZajOJ
z{po-2WJXQ#zg^2}Ufvy2-}3DXoXPggvtSVETY0cO^xPaC13Pl=B_4RBH-|KnG}5FF
zF#fxRtf{{IyRnQ_)i-_*dl{k<^e-2@*pT5JFb+0BL9^1c3F^8sX^j-1_3yu|zWhID
z84qu-&%2nwK{R20KK*YtXIJg9KMnK~RxMU=!Nm35_Ozc~4P7_3SW$$AB)uX<XuRQ)
zb<wxLkk8cXIwBckcEhD-S)je{l9f%g$Nv0S;68&*%Gm1kP{g#>J;Ivy^|n|4{4n>q
z`tmPhc*qrd>@TC(8GFVrX12jz^GkT}a!bBgDZ7Hz$6)oo*6ClNo9{e(`!A34zFl@x
zXSnq^7P8X#8YB`zvike?fpEtzZEN11R%H;ZlB*R17%_miHbCDk?mj_<ho8CCXGP)1
z&p_yuCg3Lb!WE`Kj32Z*d+ROSS*sUq6}VNlSM2}o^h-+m9Vg<&TR5Ss!(S9Q`4}&y
z*LZ;{?iwk`8u6JMw@;Vd&=t;(+cUb(a&M<S@z+neXP4dUvVg^0R#;Gd%$55&4{Wnr
zu06|E+OJ%TgoK4$e`ruZr&+Ndv|fP8w+a352(v63ET(NE+gm)yUVVKq#%R1g9eOTz
zKjA;ma<DB`pjsCFH^9XCaJ#Mh6ZjU>jcNYPwpH*RJHZ{Oorzt)V6V9GjQ>+M3!s=l
z(AUJSov?@8917t|y!imzVlTV-(`ZlI`!H9@UlrJ_!uVWWT$F%%u}Mn$fJfO@+mg-7
z%Qv*PYd_Xk|Mm=HE9^ne1lDX%bAHBx?RwW(KvG?i@Q?+rCopWgYZ&jkVE0nyvRU;R
z%5=`^sEV;y*;+DkMy#A#IE!RC?|HBfq36^nv(H$IP*8f)lTBnLjy6yBF>Dc4-@&%B
zAcxV5*%`~Flio~WB@{E92T_L)`+{wx1ASRB3n8N~bFdUgw=WyOQTpD=ph_W>sAKQ5
zbWuc8m_OSv<YHIRBa&2fpCoNSS-uj{L#8AN9Wk++Hfr`~&$5MN>d)R{d32>edw>N|
z@&GoCB{@n4FzBU`bb*-hC~XX6Z!lj<ybDVTp}hNeAk7)b?qdfWl>-H097P3Vd%4tk
znhhq8L2N1Sx<cgx*f7W62eILd)u<bWwb{fDQceh)9(ck~1x-X?peor7!N!xLsWF5_
z25+)%Z8RDyr4SVbvZv|@`|8r>P`1>6cw%PX-C`4&i@JuG*w4+5f>1V?C2deuU5gZg
zrd9Rbz35=q5Y_gxug;hxDc`yl=J|EVjBtVM%l(k_0M*HA^<X+V1kr$=Vu!N9{^QVU
zG89Q(8up0|lrfY&IdKobQMWst@Q2FCsy$(+{oP*QU@MX`L^s=ZDbvK7FKyO?LB}Xo
z&jtqXEDDn{tq1Ret}BPp*;nh_vV}6y%tljzo{?X&I;^^`Z_ZFi81}cG3}Nhv(evDs
zgxFq{0&E{jI!LRpW!ta-6FcpRF-z4kwVu(`9L5HE9t1d3m`aDwFqXpk4_7w(vj9qE
z%!mFK!7lRubUHGJvv(LXIdqZiD;D<St*8@m4&s0>PQwtWQ7Gyh^<yMQvuC^yX?$t+
zBU>~ZJA9p1{o)jskS&zc@Ug^%H8v{^8#Jl=u7ql*u`$F)vLvRX<dJM_a4;rAK%+D!
z7$vFL3W^K!40)%rk!&bqR6CLl;-6ojqa)d{{$Dt;VJ}tnOJL_2*3vT)3Nw+)N3nr^
zdj;KLG!OwD-$Q#xvBy{{1;nrf7D%ZvY+%@MH5T20g^4Jceg2eiQ&^n7Fx-s#xfVev
zdOe0U@v|M2KblQojZ`z5&4qCHj0SNwQu7$ls@h>2i#4(-lsb;hXGv5ujxA-U9lG%X
z>P>AE*b@Hnc{0U;_fJtl9Q0^|qbH6%#P2)VUi`ikAZRK~k=5hl0_#3ko)FE|JKw@0
zRM9jTvcT9a;hME%ABT!IReS|L`kB~QyQy*#`-aV-d;{CTb~}RN*$<p$Z%)L1qwxO_
zdN`4V@Gm;>96}ot*<5c6tXz<Zy_ZFuiCE#j8<akUjo_cRJ8V;g2tZ7yv5~x~lQO2U
zFZ?%{*n%(<+jiW<%2t}#9lIQfM)oRarK&#Pya)PxlFFyU+)bg_WH!oQ_?H3*K#<18
zz3VAAnOT{^(UA-aOo2Z}^!JKn1WMHE;vLw<yDQwV7{FrOF!dM!ydc10-LTnIdoP<G
zy3SghXH43rG(Ejc@<MPB0u;k)k75k9=d?pVlOeK6q7)O1?l{Ufu@~4b>M^nBeLiZ#
z-ZM;W*AYkAEN1s$$)ukR{?4Ja*=#zjT;tzZh-2?;)|asYYP_GFV>_wp0roY2|Dvis
zn^W0E#`m|A?Lk)0VpXE1&IM5$F>r{9y}FZX=d$<xJVgYm`fv974a!er#eq8oS;lVF
zf>L)=7WvL&t5}1hbRK)cD|&{INV8%QL7dUV-cGlDU^5m*nhOg1Ocz2BqDkzVp%n5c
z8^d>9qLfD=mRqPw6f@|`qwL+u8?U+pP#um51-2~7%dkjd<tR;T<LTeq1dsmMc97a0
zgSKtkoXM8PPy8M6e+LQvz3qPnu{)_M6N8+g#!NOde$(%m|1*kx<?n6(JIX>bW?__t
zl$phz@XLqA)d_49d-({pWP!a~NPe6>!PZgU<FKd)g$8e#A}K=k%}UfMq0QiOqoe9^
zs3d$-Yy+H9cs46zwT`-Mm;{zcx+PGY47#`kCO?akmjY^|>ZOo_osNr3nTH3P?dbRm
zTjd#gB0&<t==C=6BXjk=cJP8pYLLljAC=@m`}a6n^VnlDi_rYv{1q%DEEr<hqeeR)
zYsSW`<f=;(KG?)IH#s)05R!I)s{V$}?5E6J9zn6sVj<9|XW4h$-a!?s*vPxL9-V)X
zk6C)qCTSAVb^+4R$MP&>OqH0nQ+dlI9W<c?@HjVY9(Au`LmqFND9%)f2{VN7L7_}z
z|Dh@1*ez;ln0#GPUfwQw2`WBxz0XwJD@8HZk)IX3d>%)%HpEk=uhavLb;-A?sWM4N
zo)QwOZR6z*vRT+&BhMW)R7$etZ-WccO8QLI)^KhYU|!-#dK=cZoEk0cKA&^5ghIeE
z$rMn?#`AL*$W+KC*u(!lbl4UIiWfK8US;aZEv-bl+ax`<40GzVIX9dXX^df8YJoQA
zPiV(_p_Nll0UOh2ONLpgT}QDi*@(N&o&bsD%*7J3Ss9pm?vhzq7Eie=nK?MttSmW(
z+yHV0j}-|S(q=2Kqvn<Dxe*nq#jn`BKpjI-h9ucOl_E@1-jt$5cn_nLDJX@uM9O=P
z4H~gzxuMPDZ-z#eXQ=YH26^dJqX=o(tlQ(hbdu_xW5fE<-n0@vCcDIj6wm97+MZ)m
zdFwXPuVTaanHsUvKBPA*A#*4f!oY7ds4^DqQ_iG_gtMEQK*K56OoYKEV?+O0CQ9MH
z0gFO?0Uao0;jEO}3fWli>;#(-KFcNwTFs`7o&jobfh?Ana8Oaq%D3a@AC#w#+NL;@
zws~wsyN{+;-v(33YM9jRRJ$7E4X5VSa58Jj*UA#&XJP9`A?udHK>=w?bd!aJGb@V_
zkOc2k1D02KBXAI2FFB&lr?xLXO;}~5b&EE|;^5-dMJcLlN9qIJ$Jst8O0_=!y{2($
zOjEjC!_B_b3(p&PX@A0-;l?|18}IS+z)SxVUa0kZt1uhc+j=4H2V%w_5ns6K9&kl3
zybZw1{1e`BH{R@Cc*}s7{U^MgZoJ{vUWiFR%=r^yp@z7~*$Xcic)5SVo9D(mrMgq(
z0&nAI{RsTLKj9B|<L}J=KRO5s<o~h5^KJ?((){%wCxBBHao(Z@y(V2Dq+qfnjORDr
zR9eJ_dLF^!M5--<AZ?(NMF@?uNM6In^k3Hvb6Kv2I7oS!m8^A?yarf%D0dCK+bn8a
z!)BuJDrWQj$3aUitJ~iPUOF=?r=Fs`VrFKsbfB1BMxb0*0-KyhUTZPHa*ADxxF&?!
z*5Z8AM6u7K%|fN3h;Xz$4_WpTbNj-D>&(jBg`_KG6TBNxMTkD%sa4ge3DrYd)hPTu
zs%y2Xj4D)g{;bXG(Df*45vcizntz#l>?lKtB%76a!^yUeC3u^F6k}E%@ub7+SorV-
z!eW}(lRH)NiEOEG8Y)TCvtToDU|W-pRL-y^FE(pEAKn0S6bIj^D!Uc2Fo<zN)wK_#
zM8R4N7q1?M(WVZkI*a)#7tt1qg&F?npXQ$y=E=m0nzgCii+tD{Qziass#$-W>aTnL
zkEv8$HL<^L!c?kx=(UVF?x{=^@*)^qL3uB-N$jwr=0!MU#M<(DFt3GT)}yhNZ0pfj
zM-A)QFNl|F{*Gvuc~MF^eE3DG+5mr^xdG?aTnC;#7^|h~m)S3V1@Q}|_QL6NL5ih*
zjw-u2R|iwvCh%NG>6>usP7}d=0L5;GCvK#~&FpV{(GA+W8DUwWBbFd?Y%dj5FePbY
z!Zs#rUOy{ZkXzH99-KN=KPr3^(>V2X189{F)2T)Y32GiY^C~rLfw&)`i(A->!^_Od
z^mr{7EpiUie>5vUO)36Bl|qwYo8)U&jHjsLA8hQzGvIfsS($YMVD-#^dK#M7YvS==
z(VmXBAi!24GKsKQrDl6(%^<pKD~kq2ja#u_Hp`J+2@2t4QoW5mhLBi(g)L&oDd!ce
zYCl!H0$>1ji&`K>y~@scFOEMa8O%!Z3er{K6zRm{0*a}^QFJ1is#xT_t0FGPRvFlf
z4c+q;%5otl0*-ptn$@<ATKXw|!<tuY6^2(Oz1BAQkQ=@dIF*1$X!Xgv=x`OAY0Uyn
zR*3WZ>gu-&EKiF_A?ZX>lGG}=X;$JHj@T#NLrnw$s?3Vv(rUT5z&%WumeFc|3T@TE
zKL-EoW4%|6WMsja)zj@5XQnsWYYN*}i7_wXxmIM^%*v4X^BThRBMAEH(7|R|0xzi^
zOqXn-n(dH`Lh9TO$_7!uYwVHH<<OBTArqP^PT!BXN95vsH922)5~C-Jv!_`}SU{Dp
zfsFg8;Wc(2e?}&G2b=EKZpdUAg{R*PFuQ*Ek<xY`IkStJcCc`3Ay~V?k~g@Z@O!b+
z^G7h2#jH#UwY7*BLXu600v3AG#IlELVsW=O2wMTMFliK-6u)LFn4#wRCSF?eD2TpI
zO3^lnalk;qNO6iXD^oZ8&PcUBY-*9&b!C&P@UM6TVWI{gv=|yCKdr-*Q&e7!h<zW`
zRU?P7jgD3$Hh^W{iNc?ZJK11QZ?o%i7iI2b1EW_W1ya5tOezCtt*SmBsOP*+jOb-u
z{B40YYT^;9+Q}vbt_OPKhC@<mVf2>)?rx#ffkCG%#5%gsOTN|1eqJh#|3xyImBgf?
zv&bX2;Q%CFJPDR#Gll<pra+__Af54){5o4?g-4olTD)#qjeMw}F}hB~jE6-&z^qJI
z3`wigXc&jLOG45n%mHk#M!UGR8c)uiLK`G4ZnTgzF-`AjA-&7dM>v%l;E4VQ@LUT?
zi<{vldh{P84GcB0OeZD30ZBVgWpA(@fz3rzZBkJ*-g`vP-E3JF{I%J2cEii%0hC??
z*OpE-HAvDSud@q8^AlnyLT}4r$gS#J=8U7tUF=c5To%4Cg7j~)31M}XSHla;uD0{)
ztCuyBuYHFk*}s=$O>DESQ2v_`@*Jvo6CO5?+TT>oMZjA)R%5)k*kAb*68YA$1nY2U
z0CK6{gKDEsV|M{iYk0h|er}kM+91HZ%*vP>X4lVI#gE$bg8jwtm#}?NNw2U<;J~qt
z-U2)|g$~@~LhS%s3z$x9WpbNf;Fx`wPsH8~@Q~t1>0h;Mbl^%1fIxoqH~{t9F=WhQ
z^4iVDE)aGCv3<-XG)1|a!V>n2^-LOPJ8Lt5bNm+9prwIeNTRjR$Kvd56roIlBwn~Z
zd<Zx?AyAq*m>o*xyAhbDbkTv`Y-wnaw%r)9tN<+z9z9Xp!l+ARd>j0{K&5YkV~eTf
zZ6r>P3U<U&%{w^RBJ2AO=p04*I=G;{R9VN~^jRWVDg~2HU!v4K(61SkvxiNx9tYjj
zEDO%OMS^aa5PON<r%e{M956j#@FmgPOD&?!xel-hz!2#~ug7x~`p!TZBNhwTO0zP4
zJ!laNTFAF)aksFeali>mIIqqz$F}-jn*qo>RU!$)3L>c)Ej99Z$Wx0zX3l|z-gf<}
zaK!pSwlX!DT+mI~@50gdXd+qnE}Jl=rr3pZ)@o!%Rcjfw60)K4-K<282HY)IQCS)f
zBZC2R%T?5D($^!U7z&Wytc*AX5mC3R@g&NVa_U+5jPq#5&PNC-bF(Y*xLJukkDbT-
zQ3~RO)W!lYMB91fPShbqu{Wr>o()9crtWvfPV6)BkI~c^5xC{yEpZCzK4(Mtq6*TT
zWcTw$CJ}_jI%@Yq23RKb>_ZN!hGO4CM4C#a@4+p1I6B@#CW6I?)Ws;4PZ<q}V7xJ2
ztTx|VWFZ?sw<hXtK$@zATJ|HTY?vlX%<MW5Mj`)XL#^Z1xNHI9HIrExdST5g8j&=o
z85Zb<A7Ar<DmcF4{j*uoJJ(FL=`}YobWibAH}%wzTz`JeS>)_Kt{3BN0%cX9(I~4w
zBElcDaw7{uDaZxEv<j`&@7Cxwbg`hJ8+i+mp}{vM0;bobRlgQ^1`Ip}un0HaQ;8Tf
zb5W+i^#(l3jk~~*sRyk4Dqt~g*bMYfL><bnkH@poyi^&|1wfp8u;CEzcqBQ3;X;mz
zWQR!7;kn7|I&-O)7fKdh$go{Hstr8i0@{ze+XKL56V!rhZIScPwv4LYM|czuO*%#g
z-e-f8cCLBUmZrIfs0+}K^uqtF()8o6w_=Et8Dazzo3cUmTsX>z&{%t|H)1vg9e{oh
zkIzB|L^a(HGz;{EhlSq$vQnEo^x&EywoGhL&3(d?2)mZ3d8#4ji-#Zuk3_Lq3Ec#^
zQDgg%V{TXxV96TGhwO91mIG!I7Y;Di_SGL-1)oC~0GOgtaL9Tn;C85oNAEz&tc+R<
zIm-cFswPuI7K^=4P7;P9av%1eD^f?W4>rq_g9}8PiJ1enGBIoQ410l9hLIKfSHqj(
zq3Q;$O2`=unx?tOA^vzyckj*<LYAjdA!I+`8QShbFS%hm0n5~O7b-kaKGG)}0L#{P
z7kUIRY%Zh_upDi3p?fr;4_O9SuE4Wm_uDjS519vGo*Qu;49B+rrNT%-(tM2qp^L@6
z9@N#BrWj`)<VGAJZFt^^vILXgKq(G~rGRa~b2(ra@B&!3F-+;ScyTg+z=GHn&1Nj9
zR&55ge}Keu3srmw>rhIqAF^qIMTSg8DJqfzU>%Hwwj!M0QbH)U5f1tSH8djW9!rUb
zU~1Z^>=4rD`No4tnZsRJsz<@8H0=`o(YMaT?#tf%5hAt?l=u-$(rC*2h&|3H-Jp{n
z!PI0>&qwTAVQM~xhe~lo9A@`0e(x2^Il@MHHz!0uO<hN}Q{@phc-cOPM2tp^fMqZ}
z!X$WUTngOchR=cN5kAFjdIE(HGnkct_~Id|ChIi03|t1YW7HTC5DH(Aj6Ujx0J9PZ
zd;c#s&?;Peidh*TR6tFWqbW=?GS`KX&}+O4^aEZh@Qwf$p}CKM8@G+j^<#iXX}AIB
zH6wF<A7C+V*l~m`X{g6)em&qI#!ELV)&VO3bZ1@zKu{?d`C=hm26x9znt8k~q$|-4
z69S{g71;9%41_f0fYE>@yBC&)g*9g`ngIWOU4%0xcfVP{%}gkgAUOS<fTvjdswew^
zagd}LWc-8;oHZP_AxG1k(8WRpSC4p6GeI~@iE&KKctk75`>W?Hw+YhB)}Z6|1XyU-
zS4C9y2^(u&xMr#?A5*0!K&v%H8L$rZG)*A~6vE=EnvErirKW4F9-vwRz(N7b&=hh2
zLI-hp>F*6#rpDp{Q#AJa3tnYw+aC}OeV770ldU7HpZy+9!@7q-wroJm(d1}=`_vLL
z5Bn_9QdTfEh~x#6Ol;adtsKYHC_mY*ni`EZ!3Q;(`U_s=Y8&gn2hVxh#`^Dsn=7@t
zk%TSG*LK$5efsvF0a$^yv;Hfwvof=SSI4hP7Hwz!7rS>RC}7ie)?ZKn+U_qXP~yg$
z0@y~gq7xJ-b>l_DI*8LtxK-@HP{K1!Y}^X7GB{cz%WbNNlq!6uH#$_neTA#n$5f#R
zI)eerG)noOwp&%RRPL@H1HOp3tH6$6lsLcmFGpDmcnx5lc&-D?ZvkA9P8e4cyC*}7
zW*$J+<a3-}?>|bG&tYQnKV?6#y^f5}*jJpji#9WoI%qPpRL9ZJ#jC|CM?o_#E+D#z
z{SrY75;%y59#B(la20*eQ`<>4-X~cYO2~ZQo$k6ww&_q`=B|ru8)DVIqeWdyw*{FM
zpRSiHM$wbsu{(xM2NQgU--^-&ZA?f#io=jfSl7N|RC|g|^NcaOJ`SeNQ*4oUbJ3&l
zPY8uJujc`j_cgo2|Corh%!-G&Y5<!$v7I`5*pPnr<RRfcTnuJ*eKe2uevQ-7Mr!#Q
z7E-_Y8@!I{nudFvB3@WjX~eY>$!i*3)|g#~PE+hREIj^4n2-qZ8dp74h<pLgo+cK1
zN}H}=t;$PRLl$@tb?fkk-7coGZ`fe#L9n-v*aieM7ASE-d9nMQm|^|zQOpN8%rxQv
z1w7y+qJ1rhW&~Nzi`RmheEBUFQ>$^i$Ze=`Y;3%?3?2&nWW!c*fb*Cmh@+;w!f8Yc
z3mqq7IuiyfR8#qC$FM2?oB#8^0n*t_Y(l$w39axl^9^s4q=d6Z_&?`3ZKIBf*5Ym{
z>ENwI$%I;JXkpVsBXIregog6osXw8lP|#_Xu=sGX%cjRtQXt|GATE+Qsb)nwgi=^(
z2obxA=X8*77MPm>n)DYmQ-@W&P5_n(n9prGc^yQ1HbmzRjYi(_)Nq=G2a0o(2yq~X
zY%O+$eC+rF@ggQN7&H4U!@(gJN_hu*s<{TU(r-4!{+lI4FT72op(4+c_s2uR9qyFt
zxRbQ;-z+jT+pKsW`QOp}c9~s`j9UK9CRnpzZ1Yt+?NS1<rXVe<k!HDJ3~Ma_9Or0h
zqULwH#aY<`nA;Ib+Kn%l>lFNH3E*yLD0u>3MAmBo(;T5o>B4xWW|wOhU@_Jm)}J8x
z${7HWzj1AX6E8<YtZD;Y$`RFYx?IAbY7Wt*?7^VmOSiC#nnQFc+W?CNOxQ)uA-a@x
zYtGs>qOLi6m$Fi|wJw+Fr#VHJve;l1o=`-#E@c50QGrGH10hAFf=ii!fycsQ3KyTM
z8g7>|4lo=}uI~XX%?%S1r>n-<rT7=QY?W&8>2ivG87lK#t{dp*jeaWu%hdY0E?Biy
zIky3*`6`#|1Qt?db~%Ml%+V;}I;gS3DMEu>H%yQ)Pn*=WO{0`^9$@+I2}OU^ZDCV_
zf|?g`xt;>ctKH*Shoix!?bfxx4HOh8aZjQplw3Vdz%*APNSG;2GAq{v1<Kqz2?Y$i
zz9u$O?uL2ed84*Kr&FUy&pyB^v;{hUG`xD3RH;TkF6S9ERJor|P~{mmY2g;gS&cSU
z&ulc;XzO$qLDgz+9RtKzCN?rj9aHIZ2yJyxLvNA4)l^d!>be)Oe&Qyhh9^&?*t5uf
zgp%nj4!2I|QX|xjyIWV{SrR!scYPUpOV;6t<3+As^@Se7-yKe@lBS7z=FW{iW<^fI
zDr>b(^y~o}Vb}U-zCv|(gN~>=i=?Fb?m}}3Me$jEq&5>9olG5Pkq<kp1?iLXMUb9I
zjqkAjd~yUGILGFOorG9yb7%T}!PeOb@y}pP9p*x&_cvUdX@if<B}*G(`Wk9%!+YO&
ziQ3!n9t1Zb&LdycN~PzKC~Ban?-0l5P{DWbHn?l?9dh;^o4;pclcs>~ZhgJhwFa>_
zb`_#}c~^Is#*b^K*PK=3aJ|OgZecFtfEQtQU3XI6_aN#S6;=6d8Ng6=q3PF;;jpD1
ztkuJn>-v6(4Q$?TGl1jP@asGAY;d=4NqYI#LF>0Lz!Tl$XyGo1iZNHX=V54fYxeal
z!>d+kwuUfIo8;zsAf&hlNWycfyM1Eu5Tun<D{%Ek>|LA*+?stIv9~lD6cz_{CfpsU
zz7BP9vsH5I%}U&UX~BmVMd+8VjeqTYlJ#XN0u8Nb5EO8mfosR`oT*KG?I4Jjnveww
zxUN10c($9kf&y;MzqUow?5lGC%hiZ|P59q5^qB%!p2nDKPiYEx!wHyb0jy@%wT13o
z3CpfV>VVA>M>OO>P61|duXf^^skU@AVs%}CR%-76fE%jHvT|b=U?px`Z=42v)ri-1
z<sjgt+M=&^!G?Om*<`?Vd4M`rx9{RVx(8W|RcB(=MaTqYqhpyyzN>gUjN`>pTryU#
z!(eh%S%!&YOfJZM)$$A?3YC>tW&@UozU5*Zks(qO?Te8K5EqkOJ;J@@qt7ABGefja
zCN`i*O^ZOAh1R(dr%=>?SiN<FW`8fw!k85rb*~gcM&0vW9tU`(M&T=qL1AI|y8x@w
zh;e0(M&QfdfK_XRxH3f}uzLQhapOg6>;F}VV67W3&^rD8uMlos-wt4%8&NxdxPBFx
zh`k!(WpNN~(1>+e3~<2xd<qBkGQ<zf+Ce>{Obe#RZ`3Tv_+;&vZ@S1L!#ahyxGjee
zH(XUwq9MoHn`+muXQ=!l%s~mYT}0+EmJC0tw~d>BM9n}^|Ha!rSqr@W%lhF?QQ3cC
zHGZVM|7B0IWJknLNHD{4Rdqn`cWVallHj)<%f)m*Z^1K6!=*VWqX2{P`gyJOU|WEt
z;55SToBKg?VP@2G0os<S<WO!3(gbL<`*|M13oRR{+LE7zbB67>SqPjEHxBq^b*JiG
zKM%)bab{P?8FVxNDMF+1&+c~!H-*vBvVg8jH-L+UcI*MnZLBUKS$FLQBsx)?kRZ{T
zK)Y_b4ckpm^f6*nLQsXxh*h(?0B9kt>pFvEr&wp=R^|vCuSCwueLKd)1})TL<i5MW
zgw#KTajq+i!Bk{WhPZRRF{K(qV+<NYYktNtp`Dt3hEd;0QNO^{XHo7i0D_CZAcL`G
zOel<#$d9}JyAq2FGE@jI{InZy-VR|yA%EOZ_fF%xQZ?}OXcsxg2$7SsMyhKzifdS6
zES%P>Oe|=M*|m%HIvYf}_of$IM|-H*^>EF3H-Z`=nwa-O^|mywnW`EnlD@8AaqGku
z^T*Bu&x?tGKl*?1yMDytJjvFHcYepw)v)?M$a9L9DQcI2;#xqWaQtdlti|l=+DVO_
z?3M9do_Ldo`WxGSU$-#wjmQSzyrW5L=lL*P-bV&k;H{+cF1%9RPqkevGQO}^uN3qO
z>eXw7;GXIV)EPU4{YeA0A>TjZM&_?<sdvjF<cHy>Q}JQVK=n+?qXMY%S7=lj8GmGh
z=-RKi_!>oJmo=5TjGTQ11zkaM?jki^VJ|MoObC-q#dwhs->8#desvHwoo0eB+<<Vq
zeM|f9q9JNtKA_NJdcg)JWtd$TPD7h66+McxiEv=JCRdm|w_rn(lnyyfqPnZt;QBRF
zar6`4KY*0jpl8B%BxYbQp${ThR6}aO`+@Aft3}RZr({CgJknibg9GCM&RzZbTN*c@
zn<mzuk?|UP!2eS55cTjBq?yU~<5YEx4V<_Sd(hs?y1rjlgmq#+da-7+t9^^mAH1AT
z@4a43=1CpbSooZIScmUwPrREK(HYhYu};DQEP#89wYg!VQI}RPhEploaSJ9S&i2QJ
z>dsT<b>uzIU<DD{BELVRX<tBrW=_L1#p@*8@$803=o~TK;!cP!#ohp$mea-?P`e6h
zxPizmjV|86i|dKxbrYP#P0^dk6tv?7d={nMM08b3dvC(VCX@Udo9^FTG}Y!MzO=+W
zN-tACPh=m{Ss1PSjSULki#8pY<}2DaO!uhOaO4{l`yeFc<Zo<%U#2RS=xcVpR76*P
z!vahc(Zj+$d(5uCcTq|Y=BlR39`+3Exz34bH<_ZGK)XokP6UE5*G?AcZPQ-bu3t{g
z0-EXwa*3OyaTK92yZ>6%G}-Wi1EOP+ZsOv+f~;=FKAGRikj4#Qd;+LpV*Cqy;1R_6
z-8@*LRL+O+b)J;R`6#@StmHt#CnB8NkvPuw;Pq^iBS_{SGknm}>dBvRe^bi(;PrDK
zJ{Cx~UMk;7@Au()Xi94zJ{RwqWADI-n<(QB6|3wHJ_%$!d<S36e|0*Ny*S=;wNa@z
zA0<B4!e=U0k4obQ__kp+vOum9ab*^#ZC*~z-uw+*F(~lipG}Dnss)S)2tkzD)f^0!
ziqd?==f?pTjwuFk^_IWc_4$6lgd>VIyS}(Yw!VDe0-UH@euQNWatA-Et1$damd&o#
zV?Y<~2d?Og-FQwkyG}DTfg~)Kbm@?4PjDys_d|i}>q0CP)>g`=&c1w<pSTDU0%M0;
zoj<RoC||x5dHZr-kfMVQ`0~sCN7PJ<tMDND=}eNVmKy!|bkC<?cN*+5*9Uuhmoq6K
z;jEv9V*2p}CX;RyE}Pi;@xHjtR@RR{gNy!m@+WYkC-+W1m|ddMJNc7%XWV@!U&Z1n
zUk7?OP^u5EJRQ{Wejsv_j{oF+5Z_M(nO!UQQKLVf#xghe$Kdgl*dI&tqn!SH>L71f
z>=he`!3K2dcL?83fZDodQ)7QV(EpUhvghmK?UL{0^Fo#j=Fvs;_P>GH*-LC$Y~3XN
zu+9-NfaCMY6O<Uh-(uNxF#x<TbLa#4R`Dg&fxE!_y_*Mev;QG<4L~>by}C*Iehy^}
z<j?xY1FX9Z{_YsH3+yuh`}P7aCu0!i->%O8`yk(qBTEohf{$vk*Y$OOY(5`M8-w{T
zP_&XkpkgR>4#Hx0lGk89U0shzy}H+PZjK{kFgS>dgNH-7)&JNZ*L7wArG@er@HVzJ
zluruIvROGKXSw=r7^S%C1`hvhq?jRmR5Vf{XO4rw>X&*DE(l!SI3eX~cp+WtK#-&}
zyK)bbZ3w@M=Xp9RhCmqulZvKsT=-++#*buMCdnr0-^ZzKC?6OYcx$O*iwTuV51O_+
zeD!=3$DIwsFi`&}wGZRZLhm!eF<1tbhx38n$1$zmBwehfx^O6Z4JAkLPhgXLhl4W}
zlsX&&RpDqH4$+v{0|O^*2=}N(DWj}YV>wrL{GXH-0<l!2$T04OWYR}sHr!^4gt$g&
zG127~caR&!Ck)SbE3)>o-}UZ!5JdP&5anH=`k>qQO;i=dhx&_jr_lKT+@!=L?{1@J
zjNsql1_uEQgRyS|RXxU|X-YKjx46da+MDGLp+nH-59ONeo>9cPAoCvFYjdr`b3l0^
z$g0M?`@&F0nO*Ns0X#@VfT+Wq>^Y&uxGr&Y7Ul$F?m0+x(R`}Uuc9xw{@xtQ8_6el
zA4b)HYM@pvMHN<L-)XIyf-2(BecQCENCqUMnx(CM`3&xNcjw9SB1!DmWOnV}_InsA
zeZCO4hrIq6ema6Rf}andv{9gRjN|AijxP}pk?$BjA$l*?k%YXnxTWq5Q4yw&soxJE
zXf(V2iA)g3Rx(ae&KPLuTB;hu6M|>quohYlV}W~VA}4rA3)pMN(UmbgJk$@M^Jw;h
z9EeQbTG2c$Ge|PK-s+;bu{<*R7{J@W9+6OGK-Fo-vid^6asZRu_2rI|vHS^cEyQl~
z%&wY=DD&~{Km-EUWq8IKYXnOyfPpQ$=Hc0fXRu_~EOk}N)uJ_Lk;$w?B2tZ2cZrM_
zR(*9DU~z7kNNSg&4!-R2$8#A1M`7yA0RwX$s&Q)ky($*45tAaT{w@=dcds|zxL~pG
z0@^Fk2`sERrfuTg-3V1GtxLt5ZYHU>1@RKuB%Lax!{ea?v#5JK7x(5vCP16o9i|B!
zA8#5omH5v^RV5s)6Jdh9t1!A3mN;8`;c+1wbx8Iue|J3!bx3Z_DXN<UN$Ws00M#v8
zwGP!FR2SlA*k%LwPbk9a>L`C*NYJ#ilJF{N31{0u=bdYBtH$dSk&^esF<+1F5#oDa
zvuj5fr5LbgJ>?nrV(T(oKb88_&R^AM>Y^OUYm2v5N2ts<OqXI3V3jt6OUd#2NZnMB
z0MCi>dM-__;u0>E#U(JwYjUH+0M7@0LD4kHFn>pZe*T;CRLinK0jSII-qKx##+fl<
zp5n()pDYCx>hD+UK}C;AvGW~Kar2_(sq-TBcNhBnGr(RWg-~fc|Eskv7|41{=4=%i
z&k<Ie_KbmJ#SH^7U}5w>17JEqy>mYTC#n~I%>RYI`bXeDi>pztbNhiG+Y3Lg7rq=%
zD<<=S>0%E_m9Dx)t0dp8ZhC<}Y{N83Fb%T%=0w95d?y3<iaO-C%Ke(@<|fo*(FVp>
z?bFf`H<4$QQccnc3$;(?4<KraOMtIFPk9LtsNGbZz?WFhdd5q*0@o(#gv<%0(iGyx
zY4ro24{%(@H7ZR;&zz2zn1?te{t0)tz|msqGy7B=oPhs?vu^A*1ipV9Z(V%281Rjs
z{*1g(3~0y_R^`lMs!imBLnp%S>Jg@il%sEgqFv=PyI$D^BLTmj$j5r(-DWqwOqs%m
z!dDokaEJFnA+^Z2?4#}}{Jvq=gK#;b4VNQchZIMASS0C+zZY75eUA1u(e+uBJr&Np
zjGCv4=x6gZJ}_(@@`K`TpZapf{eBomYS%JYh$^!yC5#Ny_*m=JVpwR+#BDu}rc4-*
z^H^_?7FKTEk5qXWj96@9rnr=36UOC`yKNiVJb|l6y8(<eio4oo*H#gV!mj^gElP2%
z8+y4_grX^cJ%utAFpy~LPV4uR@d3_xhUCcA<?cnyGP|mGV%@T#RWg9F?p#LAI&@4!
zN4+@nq4P2dF(UrkMFt}u&tLPWTqDH8LRCh@%gtm;LKI#`l}Y?X&x<DMou|Z&QR6)z
zPYvbW1F=e{#(VgK{NG*_Fr5?Ph1%)-@qVZAsne|_H7yf|m<Tc^^8pAX(vlG!lu$)7
z!bc;uB=eb}J;gstviLCf_6g@+cldMf97>$Qr-gykmFmycm|f&FNpI{IpKBw~cc*S<
zbW!CDtR{v!X7HC-C0Xv}FY~W;q?^gD5dHF*{8fCY0U0v9fwxJns^g>^$p$*+;zt&k
zcYEd{UAftnbcu3i@gF>|;4z-k?!!83sp3BVF8@+;q?l1<b&m2Bj#tzzl>Gqzlphar
z#HRB33>LX`4#$^)WsZvvf;RY^H7E`AJ5G&hFoEZ(J&iA7dWUHqf5roy52Pc=&LqPE
zgniA_xB#_ON_-e2bW-KR=$PS1egtg5Hzoxcyg%cOUR1V_TZ6?tab0l_ezE6ON&I3D
ze&@yuc3|{4ig=X&z>3KCF&>FnIqosc*FzPLVbP7$`WP2qI_%BlKLJ>k#f$NUYQ*FG
zrO=Degm(3QsB&|UASuqBC*jXwzoXVt^W%u;u2RJ!bg(%>vW3sdrr0I?9zHx+d}}tC
zURuH<)KMa|QLfz@r4&kV!0d{^C`+(Cd{Vm<s?|yjOR>vR3d-S%D3)P{z0|f0>%<#+
zG2*np;P_{t%)emG^T_Z7pUU42p@Jv4c$3li1Z2!a>A8HGC&JXB%U>?Pi{8!UquE7A
zTP`A0mg7kOD}R{t-8#qKJPg57$o34si(Y%0ufW%mLC+u%PZuB&aC_w=+({=(K33T7
z=tj*01LPL)tsdZumj$weJCzo2_==;=A{f%>2v`jRgWCvkR>ANT+GxYEHlNaqFk%O_
z74ey)7u&3Irnn>s%iSbode1be8I*;-dC#(0y`<Z6j#tEKYcPJ4qjn7+!uUUY9ZkhT
zf=*IT2~=a27)BWM4O671JyWD+{1id*{O?U*y608OT+3fXVz6T^ci<#a{XGAcr8#Ub
z@H?1TcPVz&<dE0#NDn{!-j6I<-XB$9b}FG{DC3g{DZwJhfs;V2ZS4l!TXP&rr<MoV
zV4>PFRi}DT_=%qu5do#I*>(SD{Im`gtmgy$D$P#kA>okBuGG;~xgI>$lh@zjXxb_H
z?_BX~M`W-?wZpCl3n}#_*qSiPeF;)}h&H|iU0vpgDAzWewgDterPdALaRcSQ%%2QP
zhJ}{l7jOMSRS2wvY*xP3{GPLW9m#fBhl^NKmo~|L6HU^BF1K|EP%W&pJDRfX;MOrZ
zY{$gQsKd@L<Ae9MjT~PKUBQ<-IKE^$nl}rMuBF%tZiY}=Dj*z*)LFsb@~edDFv4_X
znq3cQVfLNavv4CKC`ve6QtoKmBIF~T0=7c@ie<{%%CCd1IhBGN7btHVk|3Fmh*zMP
zn6mU$$a5_<zseu*OgB4!S|;o&ez4*`zS@^cs<5saM_U!Qa}1HcgTK#VE@EHj?+9gi
zoxjeX^`+7`z~2&*Ye2*v+E~MjJrOZ_E*2xj?&3@M3YjW)@&EFC*-`Q)%n(dK&0G9y
z{<JUIYC+?CN6>D_4@`6Q+pr9YRQ?V|Y;^e6fk~{=5w%C0w4)q{-{sG6B%TfXFvvK{
z*vBV$CYqh6z`%X{Nx!4FMeEcI(!B@b0qH%&scAxhW|H+i?u7&dq-Z96foH$Hw?!#p
zj$4%O4D=G@OgOtV-|YPAf+kWU=1_ryKjGaCxx-m*`gYR&9lFdLcqnvP-@u3Quly;w
z0lSF6m1fZ8%RnmFk8|g8y0{-|RZYf!@(<bi&F>>&Bz|e)eVkAt91ZXDKCIv4xZ`l+
zh9)+{88sc?gX4D!od6j57{5A`^gy-<4PX!(%+Al}s9!~hSAuY}=(bWEx$#?60ccz9
z&>sXzgSCq|&ZgtGEWaF8%|CEOnVn4ssrdswbNEr)BK2HxRm6I>WwQDOgK8O^O$$`n
zb~eG|eF%jppxh6^l`=<qBSgj1Xm;s0QS~7{b{>ATY}9h~=Sr|PI02oS3vwRYj#oU5
z+FFk-6l)b{QnS*j{+<|OuOK(xN;QKn#clw8Ihcp_9UDziA3=_ysNp02DhzY_$9xTc
zL~^u#%sJx^<D-wmP|keeSA(hO2!GzM9V(Hnsl>3Wn_Cb(q^tMvXVSEPf#0>-G5zSj
zc%)z2ZGH!=6BfJwCp@HII^F{*vouBz!mZIyKz=AMK0(9PYLj%w3jE-h$Z~{eN_;q2
zL^jwuvK=heBqd)2tGvXOLbLPZBUJtgOx12``vkjap}eDDhLOCE!Gbqxi{5^WZ{YKS
zDDG4KglCP}H4xPNluroWZIXs9Q>lq*Z&R~z8+CpPJ%CI7jQ^E4`jh1|$j(OE`x&&N
zn^K!#7Sch32rZ%rVIs<jp~h3(d%z+|PB{Butl9a&42|X=;D<hrBS!52$XociAgVkL
zf~HZ#=lpx{+UpCb4bsM6z!4s#iZA#l-r_B`ui5!eL?z99QD8Mb(bsDt^3Q$RsQ<)%
zn;{%&6m<d?teFm+z!J0Q$_W4=Mqlz#-VtiH*VzCI^d+oHBQ<>q{{<8HCG62Ys`?5#
z4ZHXirnlfYiJ%NiJ*ipgldx!=j;fQwJRhLuQ(Oscz$!E&?A*HttHA>I?$TDXcRO`_
z%|`|10VP0N=-y@SrYws229`Hgq<K|?a0j2+CL{z#=Nmr2ul%-zc&vpmO@JSWYe8H&
zQ=-xqp5WJrJd4}UcsZ%L1q;M<Em%BE&T0NMf7jbla#}33nfCr0rVx3u9vp!;@bUE5
zZ+R9RO7pk;+0f)(&Ll!zq;hkfw#awjC0hB+uvWO%b?S-0B^@_OI^>nrP*bPAX>h)M
zh?;<gh$i3+><&I4Jp)NFK@ws#N$}Z2d5_>T$mM7GYR_h~vvx6cp5>#Go=RvF`CKWn
zXo|>+z#T6#K}2f9An)QAY+Au@9qRs22_g6D?S0ha)rj7S%t^*Me*X}oFX$Vk(f6%W
z8VlaiJ{xzwb%c(dgYRu1xecU&Qn!KXU}zgJ_AhdetGyL<zPXFq+aM7Z+!6t97iFL4
zBlw&6-JJ7$u>Wp1vi9kWbJr<qIFC&q-TWQS138rT9sg^;DF{q%1r;@j^S(psbEUAK
zT1*iQzgDx1BEE-A<~cIH7tXBB(Ro2Ism7uIfron_s!aZ`a5C-G_7ne-Pw>*LMtcWO
z@T@gEyRs<a5;P)%axTFcucX#Xe7<Ly+4<{oGW-lV-bCp?Lvr<0{WI*$O8lx3ZW9P9
zc6L$A&*)iAA-}*A6_M!|)Z(a26rI#8fX6AXlMkc;ojev)NbUq^fdJjh$9hqNs9wO2
z*A1lKI(Z__K!z?*b{^$-!O-;3VNpA_`Bx~6jf}qnc_HQg%9jrBC`O2GJ<vS{Y?js6
zJs(KEHerdKm$VF#vtko<|B7|&rNqk!M>DAUGIqBduK?kz^p2J*A`%=aIl8YRAn~q-
z^OMa^nuj-6Jls1URhT@Arn2i`ZmMJNb$;E$F9UIwQ~X+s+4<5oYWNNII3k2PeuG^o
zCtDB9;S~yUB0?^4lsoxz9(<^m!<Tvd;05Ac@%DHY20Pcs!|a_4$upXre_u$AJ|3U2
zaz|-j51r?RM!lm#=W%qo{{xHi_2Uit@v-CL_2VW@j*WLbwc2C+K%c)YdpdvFlcOKc
zeS%)w<T2ZEbCbvZCBa5Xnw6_KR~<l>p+!pSXH4==l9K(CtXPi6T|=JsId}F<>$m?t
z-SW-Xr}`xImBe2J`qU}T!c;oY;}P!Jg2!C(IMmx9N%u*pmXfd2<L*KCB`VI<8R+4q
z_LHP2w5I}=N*PX%NKXqM8>!TZL8|fCMs-e)p`J$-r`3xte&rGFE%2|P8cWG85Ape2
zp36fukuHx(!eBIb4C`ZVRh-YaY0oLL;(Wo2(iD$KoKP$%tl5}4z&*WAl2USjAz;3}
zU|7csy_YHQ$^lCSj@%0mi+sU|dPpx=17If9gL=W5082qVQIdwKU@>4DfcY9wg@KAG
z*xL)0R23}`>oYq9&wEL)6VJ(bKI(o3cV1|9KX1fyr~CPU;w+WbXV2N~c&3+5dFTbj
z?)OD4jxv}$3X<PBQVt}1+kO`gXSbgFd1D9nV~6Vu)W+nY%($7$kx;QHj!HS<#}mV0
z_;a~D$}<Oxwa|$lJ%VW;$0&8wBwB;0lgndK(|e$2KAAk^2_pLNz@&#o5iW!wwM23L
zJ%CPn$O-TlIvI_nlqk!Qo_i(9BZkU<@)%8-2RvljBFiHXD>usW1kZF#d6Y6wcm$H4
zr+k-ZCvfWo?l@ZD3AALgdCHHl+|4amRD77+&l^1+1U)K`l5ZdRk-!QJaEoss^V}H4
zxxJJuedNd~b!Y-N)IXGSAr9MXQS<5rgE(xjLj9K5!~hS(+FnI%edMu$jcDpU`bow4
z8kQF-4;9p(+k<K=rQ9Kp<gay8!5!Fo1ns>;o=fL0d4!KigB-je<e=A#X^?|A1fhEk
zJI@QSbkZM&T0xHH#folZ^OC2*95s5$69RMp)B%#X3om}eI^xg)^Xw|6SZ{d}tJ1XN
zA*14a^C*>j%aMVg>F;8URX>D1zu8Sq-r$f#dLN7d!adZiIBR1?H8MIA9eOQ!K7_0`
zt=9@-C277Muw=^ffhd$xwU0dVuH8Mox(O6W@a|4(7bwjX)E8`Q(iWGVqB!5ZLT#5k
zhK)(jSDf__QQ?f$KX59&6tGm(urBov?dg?(Wl~39dFY%{0DG-39ZRpb0CtO{VhE^7
zeQ&A>ST|r9z4|6g(gN(Q9wy3Ho{2+UwJ!v`l$u0wl&<(f>i1HFA2v`<>7r<%GCz4P
ztaqCqP@otm!7{AwVQ}C8E(rC5P9;;SC{ig;6yQ=npjxP*ANuR5b3g3ZBZn2|hsj#+
zC`o#x1J!Iwyb~O`NI57x^I)SdYO1*BPI(Ak6F1+9Vel4CCx?4t!-pX+IzV721qAFk
zY!i=>h>Fpm%ICs7KyeRMhjCk}Lp16rz#oN)5>a@ISt{WPa68}!k09z7C419)e_32H
ztMtd_Woi;d9QF8Ph{F`sA4MXi^_S-(*`k`{$DsC2`R?ahJXeY>4h;ppAA`0uHTL2Q
zw))sb!0<Cn0rH4GnE`n2pzHw{6!u{NW=f{U0qUkM3g7_>2*6ARZS<^U#rYMkgFtEq
zW#!^oh`}wEW9Td!U<G36QQ%sSC<4efP)67-NsoiiCry+Qh|w)nB8mpprW^@`p$nka
zKzUSPCI<AyKk)~P_IQ)x{5qXN?t)q)J0Kj;qFBZG%}KJ|C6Bo4n;xLunjcdv!kWJ6
z5L$c}oju{<J7y6Spv4PF;-B~fO%~MvsdvX@zz(P#eFs7YBLuew(h~#a0FfCRC{Ktk
zL(f~Q!U)*~iu2nNz=Fh(_=^Rs3^05|2y{emx*(N=22qqyW)P&XmTW<wWQ*8^DjJLH
z6z4f<b1;ZxpqOA)UQ<MoNx7mZpt4|?pH6BLC~?#sjKOk9KM3|jEU4GMmx8oy7HWIn
z1E1Rrk_W&9)tv^dmSzBcfNIeNqI^;m5!8diClvz}K<sq)P|^n;g9LwaB*l5Yl2Ql5
zUmQSl4mHn^0|z`PLXtj70D!?cX~5~G>cLo1GBppzGRvt`6emd+0_kZaV+d*zWr_m1
z#t?X~T&fO%T{Kc_2>O+iSEy_bgcIq#g}($T&Wk3>3B?+lg;^cpb5Ss<7K@Cfu*q<%
zr$Xf+-no**@#dtTk&cg-Ln(NOJP48-Hw1GxP&SG`42&f|k*+u|nW$z6rf$TKlA@3|
z55*o6p?Nvf79t~oKU5wFcbYyF%nP70QS7D0q4IQOFl9Yz<z&!9G!BzZFFyeOHtS)d
z!S&yF0I66G8FK1-!D0Y|nQ-bzAEuHfH4K|GQb8E3OCu2XYS!gYn0%MF5v$SN+G{Y~
z2$KhS!XqMepYol@AR0eR4u(Xe48uTCnj$=zrno#)Rb{;ANei9}Fk~+|f3h4fkn0by
zYQQo9>m@u-HmKuxg=2BK6e|k6AULH7X<jTEtH~A)vgy_Er%zsq;_4IUey+u{$^Cp1
z&-m$T5mM##;5kn`tD^o?1ga&7!ac&nK&huvQLV!&Qt?mxK^C6M2CM_jEzrW03lZ{2
z@lD(C+dk{*WW{yo6-|Gjc~9r!^WG3TFkBuSjgG%>2@^bBiKbS-Zjl4x{d65*&6`JH
zd+n4u0tQ<G0Er6$@zo$$m%pB>011Up|9!+{NqVLXO&EnA29HvS-Sh~ZGy`!vujv)B
zpH$TZ9kGOGK#c)act$7nPYiMqusSkC$}<D?0AdsBpB_J_i@n_yK^r4gb!mu{NBNut
z_p2~lGtMeEJ;FGDlyp(@U`TsR6r`YrGNQ2ZMk<MdfW}eddz#5#QLeaxG1>2N7Z$Lh
z8Ze_KHY=L&4Bdtm@`Hq~xPodq&?~eMaAC9@$b-9u4G*Ms(Xh;MB4Un&E_X(QXjO`9
zP>y&MhD|jxf9nLOii{%xI!QSrv9=(p5JdrgWEMa*5*98@KMJ)<D!=40bOuONpjTWW
zhcPvlq5cV29AJWT*}Y&U#T6=WASUV`c2tl77+$W45o742DAK8C6e!V5u`%*^J``Rp
zMxO3zLytykZiHoQjDeQxs3iurD3)}ift*gsqctSB_q_cc18K)-ImnuWPQL0?DjA=%
zDXyqY)NhFs7W&*qz|sJ_#Y6$C0Zc410RP0FfE{qddiQMxECuboVeNn!HJBBJ*0~$N
zI1P9Uw#pZ<s6W9#$*7P&!9d9<ETH!!t3b&p`A;xVGO`=6+Z(Y;tMUNs`2$c|Rf5g{
z2|u9zVenNIfQjAqhSdTl>S96SPvA8I7K`WJu#<op0P97qRnU+qgW!E{V2>NI*CZAl
zV1k6bVG)330+xz@;tvyB41iVQ`4$XvWJv+6g(}BFL?ftaEKFM|b&H~vB4Qy)0hEFw
z(1dPA{1bnerVvAo%%{>=c~q#_#w`goqNzY}jmm|-hNzw??3%}5(#@7-`XyElfur;t
z2a8{h_886L&l?B5Dy3Y2;Ztr|$<-kG=oV@e&=Tqpg-k)?VG;C{I3BeE$`M5?Z5)rK
z2jD7<d=DSrL0%KEXd}f=P*pDzwLn2vY+wDuvkhC0i=)a3@?;*@O)V2JOqJ-T9z1NV
zifiH(iiwj)@VhUP?PDATm&M8b;l?d-(2`85i^B{!FT%!n$KprO>lD|djhiQ;t(D?L
zAyLjmjGfRy)f1s!In+84i@^c$ZtPsFqKw)mBC48uH=-(}uK<Qqtx1xH4Jyu6TvHAJ
zMF_h1Ls<-so6<_ncgvGJ^*E2>$6nBp^pg<Vlu_Iy%-BLXlQ6ayI^Z2_JC?kAlH5Pg
zi25x_2GdF)v@?=78{qG;<{9~T8igcS3<}Q*FeFXu`ji0-IY6bNHHY?!;xM(L2u#L!
zw`36uTidL-X5k1Bk4?r<dOXOINVa$w9CJ7A71a`IjaLt$L6bp{*&UQN8KW7=Hd&r2
z_9B&Th8?2sC(A(yIZ{7FnDzoRVGbg%4`HMX3D_cTCP#xckkwMi^qf}8PXIOXJ4V8v
zf}N!n#r0q!H6>soiM$f!2h@0?gi;@nhxx37=Fbx}aGUgPiHMQ#^6~*WlFlW{Uho;^
zUw~fDMA@Iu!*60tQKRdWDWED|g-wyg2XswSu<C}*W_e7X{|E7SBtkXY;>i7?jA{y{
zO$BvoFbmeB{y{EYOh!`^ZJdg<f=~}!#1f1-KNZvsq3)?58VEj3o)mZzt-e}6;UUXn
z6xU--WSJ(9py#H^!;!0UW%^RnG>9^${N0J-xvT+A25L+}&O=n&QO%<`qsp>OBSP#r
zYA}Lab#zexW3)U>bP|YALdi);6f9|@yd<n8NC;r0%3`oq{lkcV->A5jW>b3-I!mOx
z2XSl=#ohzr6j1g(0OALQ??G>Pw|g+yvUa+1k32S7>^Idt3N-H}ShBxVp<e2SVdR&3
z6xS0lF4G}=f&dm(5}y3X!-uv_$B{1tmqp}B(KTqgwH}OA4zH4X6flT``UiTI9{{Y4
ze3RwKz8IKS!0yz^_t1s|5TOT?<>BCW0UB}Ys7l5n^R7@+GH8;j3ETz<+*1W^ft#V8
z7j6mM%MiGy@V0pdu+@B*DuyqEA5RBSlYm;NX9gnU17y5czMJQFQo+5j8!OtW>R$O?
z{%j{*ycZJ(;i?HD<^z;I6VllLRSTjvPYC|UGa>ku5Uf!`zBj@#tU{P)!oZniG=Z)W
zRA2&?Q>fYm)0a(0MGbir96I}KYEoPlq^re2aMKmVRfs{wVRUl{o{gZ6mqsEXFq>lm
zizC}CtR{tOX2}VjDQI;og>x2CU3*ctX>rf!`%srruW`pgsAH@7_hIrzs=5ygtE86u
zFqRH$7dL{`1y%SeuA*wnFw2p5V3SgcG@V>`%E99BU6FydRse5_1vpiar?}PxQ6sjG
zR7{5%!{$&#3WhDCloX_JO0J;8EzO9<PjM$Iu96NaOTnDkLh46h9UUoPKqbY_mdEht
zyD4)vEDbW1m9yo@FeCbxK^%0`5uUy(ejHj$B!eRVfMl1}3N0Jf=N|{~+(b4($$vnH
zN^z(W&s(vfb-wQBI6SN2AK=)`x)d$C-&%s_OgeeLy6m3&aU_bNlm{TyHcWoo>IC+w
zM6Vayh3OIIt5u+61LcYqYlWx6JL<`pioKPo_C=6wTZ-aZFF2Eqf8q~R*p>-cH`NKu
zQfg1d#Cyqi4r(}X&cWcwgUtcZLKSl`hwvuls&bv118EDQZa{GtE8;=m9H10YWK;fw
zDotx1L>pqr2Vn*AmCIbU%`g`=StCOg7PKXXDn&~s9i9uR-_lJzbI}c72Bx7XrL;6O
zHj^a{s_>5v{1m-BioQsLt&LHih11*)if_#o)d^5b<2-Z-pd3-;QMo8iQo}rKMMoFW
z8%qgz2*pt{K7<ZYl>ZP=^i(N|G-~{($H3?iN!kIHRtb{E2$qYt3HQ9hlfijGILO<M
zy=c!PdA>Z-TGb60`lx>(^o}cvYrCl2GAw{qdjS>%m_fx-gNW)7z!FhU?FEB!Z7)E*
zci&{d$^kR>!b=BCup>$e*PvpOTmYL<)oUQ3t<~`O+u`x&%Ogf^?*Y8`z@Xe~0f60F
z6#7-e5x-`@Cqr`hoJ=$Ur2b*}o!G-`xu{{--(lFpYZlZ}d%>`W*BVfdbHjkY6MJ~A
zMN^BNSmtY;xSXa^yj>Jc<huY&(c!9^{D=>hc!x-$81JDIvGO2tERgk(kd_7VP&Fwo
zmMs24B<Xc*;q40YeOMkk<s?9fYJ*DN*E`W9cH9g0hOD^W5zD^?!}A+KfTd8*!&nCn
zQKG<a_&$u~WINg)mOEDb@4KiM&Ns{W=ZSxP@b3=%^KzVT_U=dQA?jS}^B9WM9G@52
zLyp!QpFWJQ+)M4td`5`U_b;OCrgEFlcv|uop9sFHlgj?$^E_XbMx9Uk#E|g`pJ99z
z&V{Hr%AfH0l=0^h9U04go@3ln;%ND+&l1L;Z6#wKMnajB=Yt<1c9iG&4Dh#>DVJY*
zOX+%kqjGt3zS8wVvU1t-Z>6g=U%CA9rzj1|<w9@3dr<!XWh3edC`**fwPTg8Ep=M|
zQc)gOy8cn1TwZk_#<QV*24(L5|9FG`Jm4-&C>FFUjuO}SJYn_Hs_*EO%e#J2y531w
zF7N1rGC-Su&rz*?&ta|pp08Ga&)wb-3;fTOuJ?jaexr0XV0f|a54ttH4<)Vsp?jVW
zWexx16b;|{QKCkelTFHHd!o{Hs#M$1$#RWAC(|?nox}u!Kwq_L1p2B<8~7Xs68kx4
z(l&6uL4*HLtHFP$(cnKGRW7etqI6w!_xssbZ4dAI*-JzC)s65g7WDtsY(*hWMPb;5
zGdpytAjH7XO5D~K2+1^13Y#GKppk?yAA0Cv4?aW%2?=|shk;WzOYhLs5r&Eh3(OlN
zW;k@34?+(!^`VCzq(az#dvOGR-`QUehyUEWbH4BYzH`riHrUk)4m$+ku*=FkRbFQp
z4uFW9;uMu2A&eteO76Qrj1?v~6hjEPmI^}Xa#cYHdA=8fkOv7t2zh!6Lda7qIPQqx
zxC4l3CNG@AN|OuYHBZ>@lL7U21-QOifc*yo?1y3v?7uI-{yLdhe^2K5-H1P!nm~l5
zrltzE<AY2svXm5nGg@E(3Fyz88)SUT6x+jhI84pkY{yPu02I!eOgEu$Hi@X~V-X@I
z%+3jD;veWxNI-{Rw+4+T1T@xH0HrvvH0B`Om|tQtUkdgBt~K@m+?iiziY^o?JvxtY
z<BO1d+82c@X(3r|6q1j<LXwUN$#PUkKENqWlI|1|t5rxWB&SIhV<Kd+gY6Ux$7k?q
z`#1it|Aw9nB^jTPWZtm-wvuUcN66M+2-#Yftlt_cwRUH%9OG&PbRP+8&^<V+E#HGn
z8guuzV19)#SWdg$f|dQncA2(3n~;pN-2$4eu%7iR%ZcBZjd9iHxMfA+YTAK1SNmMG
z9W%;+0|$qLY`+SdkzuuJtZ**YiNaBixNUZgsCFZP%Pq78)SXgmVMN{5?`xJORHd<i
zZQ6s@$GLaiW?e!(!P%TjD6jFJ?Wvz=N1R&;SqBM)e?bP#icw?{G()4Pxj{37aG{EG
z`NDyQ7%8NkPu@Tud!!T<Ex%>9j;TuLS*DV-*)yiR*E*QaN12QeVhpXE>D&xcnUARm
zJM7F3)9GTSQ?*PrZq6rxbTPwJ9ksT{RJ#N3pjC~lOZci47+2S?L^(f+wU}GPNNk<C
zO|%^RKhE^fjiw(WFg$2LKVqiFm1$Hnz5c^A)5|pNGdm~LV;px|6Y8qbhbM#3j+j=9
Rt&@}bFzEkg?IcyN<1Z;9{%HUJ

diff --git a/pc-bios/openbios-sparc32 b/pc-bios/openbios-sparc32
index 2ba8660ddefef3f7e4bf42f1b1f0b7fb2ddbc228..67b8b83d984a3f4f804dab117b54b89783579824 100644
GIT binary patch
delta 19941
zcma)?4_s7L-v95J3py&=K>Sld2L=K8BO{=qlFTM4CMpT)q?p4$1s!1$OiH$yl!`5?
ziHja8w;h!&wq=Vae1a{WB$isX^{D||qoSHs*N1JbWm_I2Gw<(n?j7`0&pyA$*Xzu=
z@9+0}zUO=XpL@~M65?qIac;A}MFc^ZNIJ*NjfZr4!tr{rhT}WIBFC%1J`;RAOAubn
z5d`=-!ekt`GKPE^>?cpy>m2r(iy_cX2)F{TzpT?wL4gI(Po2<%<G|B6jt2X290{Jz
z@f`3Bj%R^yxxseF%wPy~Hw2EE0bqZQXMh7Zo(jH|<4NE^jy2$*n;d!_9L(`maL5GP
zb&k+05QI($z+Zu9PH<Aj*vyxM&RZUOyIUD1=s$;k_JkgM2^_}pd2sjyd&^gI<v)Uc
zu2*lzn1r5#KtE9cJOGa1_&snW$M1p-9KQpO;<yJqkK;GN(Hy@Hj#1gpCPnCL5X4Rx
zaC2Z8=D>XDUxq$zLJxik9MAC!-~^6OfD<`>9=w3#XTeDdqka~^Q3#BjK?8Up$4`Qj
zIerYB!to>ERE`gU7jgU`crnKhfR`|~vmXR-9|UQf!9MU(j?2NzINl9j&hbugI>&|J
z+c>@lyn^Gc;0&;RVp45}z{DAB1pkEN_2An%z7xEX<5l2Hj&BFw!SM?4Dvp<dR}<7f
z5x`;yvN(fe@EVR6fbZlu4!oA*XmB>ik>GV4&jGLJcoujAVdKw)7=mC3ayWwk@Le3w
z0B_`YDma(pN#Hz=HQ-G*IpjKcGsjoKTa@u<LY*Vz3It}(;4ARm9DfPk%JJvmZ5&?$
z=W~1>yq)7u!S`_d5!k+i6P$y<!tnsOfaCYTg&e;NF5>tda52X{;1Z7C1n=bd^+P(l
zeitWr4F;tgzX~qn_+{{Jj$Z=r;rIoxmE#lOy&OLeF6a2!Lw23Mf)gBtfsNw^@Vy*A
z3Es!?W8g}T9|2c!d<eXs;|Ia_ar}TCf&-l3K5#Y1`@r{eTn>JK<K5tc9Pb3za9jxf
zDaZGKALQ7+6#{+|ZU#FzgN@*aI9?Av#POZr!yK;y*K&M2_+gG$fFHTZ_K;-|JbF_Q
zvKU;)aWeR494`Pr#&I0@agL+G^&CfnpWt{7_{ke=cZAG>;Het|M@TT($#DSqX^v-r
z8#tZ{mN=dSZsb@4K5~<TuY-?HFwXzrs}Rr$0r(2IiQ})p&v5)D_*srW2S3O0CGath
z&x3!?@u%SDz0A)4;Ey2q1!r&$?BaL;e4OL=z$Z9<7krZAcfidY_ke%N@tfcmR94Ra
z;MXB|ku!J=+`{pz;9qh4GWaEqUjqM{;}^iK9G?LHhU4eKFDtB`|H02f@Cs*e6x_yf
z1Nh%KeiHmD$B%*AIer9uisM7zf9Lo?@N0~frH3JS0D=zA;689C$NRv)<+vRDI>)=g
zZ*aU5+{JMr_&+$l2mB^@;`|TZ3c+d4U^BRz<Bj0AI9?C#;rLGQ?>Jrs?&bJ)@Y@`(
z0KdbX|G~>3_&sN^7~IEkGWZW1F95&GaUA%M97luCa2yH#Pmbq+-{a2z;8_s7&lv=R
z-5dvi`#GKg9^iN?c#z{s;IkZSz<;{QLD#|OxUDznDg+;J23NpC9DfD=kmE1GA94IS
z_+ySQfrmLh5B`MXPr>$2Il)H|e8%xPu!rLT@Siz;4}6~Ecfl7peg}M!;~wx|IDV6z
z|Cczy>oE8)j$Z?haQrIxuN=P&{+#2Nz<=ZT1@L8#Pk_JR_<45zf5{1+g~8uBJ_;V?
zxB>hRj-Ld7#qnd{e{%c?c#Pvi;Q!|ML3aLM;RFwWzvlQp@Hof&z~69O4!+9qZt%Ap
z?*w1txDfmu$Nu*~aGeuum9llS$%s^{J3zuDk1l5Z`wKJ1cKRcwWc+uvGa#bRB+O}i
zHQ3U9E92mZp@skplf5k&{X^`hLA}fxl1E@Yg8cP|Mg-yK7f!pDW{g>vL+1>MbVL3i
z^Q?FYDHun&F34VCwXpK2!35s#42aZD)C7JJcAdy8n2(9F;Ny^=^3Sj<6_=t=C|BrN
zDBECE_=7@?khgk+-G(xHuFMnAwRi)~L*RU%&G7XwYlydOHp<2-Wv8kA;ex?WrJR5e
z`vJH)=D#9Cw#)Lv&H%$TZ_KO>Ht3pEj!Xkv!Huvx=)^Y_&Tc2<PR_0nTo1c@VRs8>
zmk)UzXJ>8*uv=<jxXXWqQQ!<W!qCAPt_Rn^Zo9uA@D*o4Ud`EMf~#Pc`-6&CKyKsg
zmVvFXTjOtEA@CKaLQ%>Y8o|Xd%=kgYagbX$yJ&De>=yl?Vm;($&Mpj`2fKLx6?&!K
zJZDG&>*`=AayY{Pa5fAheo(O=<XN1Z7M!V$a`^igWi};6DJ?KEI{fNF?*vG>u`a?-
zW7et@0rS8lg#SZw1ct2p8=RzioxIA{gi?VzQ;e{>(1vHbeElo5&Y)J#f)4)#<r2K*
zno)TcWJA)$Km+-Wqz#I<KlAj6pk?a{WtENJB&6lDwG4hw)xBA25;Ael3PL01RKw)c
z0yqKn2+S{I_^mbx;#hamX&>k|K}TNK30gew#Pg&Eoe+K`POoG3ux*0vUymfabdDG8
z782<YCZPxQYLMau7<3vP0;^=p5_F50ai#8cRAv(98Qn$;Dq5%<fjyJ{e99#F9B~U4
zoBEt~zdO`~Ash2m0t>Ks(AZ<}H>&y$cVO{oIenLDi4fihq0wuAy~%)~yWzkI2lbHI
zym}j+>kwGDR2m#_A3YmtNn`C(tIv$|gj%#>#+c=h&LW`A+D@H7dUYnjal)iYc97E7
zCtJublPsEr=!a$>M>xFCa|RnaQ^0J@8UhL$A=~T>F6v$c8QUISOmJylm@M21`7F1O
zM_pRM$Hz^AJv<u)oZirGMQ9V7*$|BHfUX_|w2l*cA;3X$*Z}?#&N?Rx0nkr&PuBaX
zlZZJBUkZB%eC@(B22`)}P9o+j8M+#$PSEvC*6V)JZDNh{H%$|gQ<zhe5PwBF77~+q
z=B!ZY!sISyQuK?j+Ak}+&kL4n)*mh;wF=QJjfTXNSSc)Y^=-?c3vo0H0SI#z>krH`
z(lGf=*(9vo1wUx>7|T)9oP!8u+&AOOVYOMB7|9hHZ*Pf!h3Yx%ml$w$zX*&(--msG
z6%d8|7id73*M?0Bb#qs3-h+)E6YcO7ebF(NFF`U1e(T2dg=37}`a*QX%H4=U=}?VB
zxWyfPei*V6CvG5<nNfo#Nj^8}{BV;lLk_~{n4_A%%MDX)!qKUt0vz<3gxKq9Ggg|B
zPhm}nbdawRl+`3`IvxQZ%nzoG)~zq{@mB0XCE2i_#_W}fqayntTMgM%rCvL$*e9}2
zsW?;+eo*llRP13Dv)~*jJg8Kd!t7aL)*~!f^hm5p(7Zn&6!tRRgdNl0u!C>d<-qQ3
z*q!nA=9(}F)jb{)7hTN;sTKK3*5%T%S+hx<)H!P{X_9<q$B;fLVYXp@4fI=4ZU}=r
zl{sn%P|9wCY{cu>56|OL_3Su}L6DkfKbkm?Ikd~)8PFPKf~o~AK5#Z23m``=IQuM~
zEs{BGH8~==!q!fIkxhDs%M}oC`ud-w@vsVVPAUygA%BpL;kQe2<M$QGXHE(^A*JE>
zh-AfYo#evrLFp`h%O&mH6jC6i<2O&T;diyvjNfI_5PlOSKYYv8OD6o@Dpl!|HP<Fd
zE%>_XmM%i{xfB|ayXk#4#oyWRrtENegn-lEeavnIOOU!_PmFfQ7LIp@L|Sx^zZQJH
zRCoING_>B$8iZ#vo?XZ{BX9G{a`D{V-W{=;kWxu&h#@Y?XoxA<iarYW7X*i0{&tIV
zvWcxYUz0FvFBbJR$TqUo$rd+rgMn&;E*<?f#MmVGm*9Ey<_Z(0y7ebppet>|v^EJs
z75oV8U4}uQAWVeNUbLXpka6W9buYPKmYQSZr<C5Hq1as{M>5S{>EDMV<xRIw!MM7!
z7^<bl`AZP`nfV!{TJnoC*y}JCrm(8895KT~e}Pb%I9U^9&qC(nWciRCfsBPX1<$Pr
zFBLT@ADoyk$Pluj)2qiJsLz7_es${#-ODbP=(1T2y7rgj{*44-Gn~0?QO1>8R8rbF
z`SdkROpjERuq0>%t_DUYoo7?FOx0KfsXHM_(Y*E5_cdC{C($rv!Y))YCMK;bYX~ST
zHVGkbBM7XvP~{7VvV@f-Uw92cmLWK{0h?g=urs)jErv2YzXBPX-|U$+(jv7c&LvLi
zOyX>e{77PacndVobjPUox1Pxn?A&KHV)E$QB;$g$q*JO{@Q9{BkbIJoS(cWRi{)6K
zG@A@bElCF4+0P^`C!><qXdvTKg7JDlgbq{TA@2rIhKq+$N?*87W9gIH7B*-ivLshj
zm}E(wODvKj882><r`Rctr5skC7PbE-^}I+Nk~3}j6qj;)2q@^5&Ze<V;96R;JyPgi
za{3$#b0FmOIZVy~%;~fqJUd(ka;!r*#&nAQmeYTRek$}?J$QE1S=h~?aY7#<_~6R&
ztp<7vWV_>04$+$J^40HNz}Cm?ZWS~p=<6UGZ^aQ4B>iUTEYc$NEiEG5Qo^#eSgzH}
z9-VGx4q)U$zhPo7k3lb|E|1hihDzq;TZ1EGb*JS5<}d<RUD(|Vr#7i?`J?`$-fA)-
zU5iPllPu}8G$)NxP5RtKTT75({H36xk=CG--976ag2QFOt|Uxr(CPI-f`;7@cjG9W
ziE52fU;4WmLz>ih+iG;}@NFxxMD!~tM!Ivw2E?q*SWeoc%#2^7Cr2~p26^oAH{02i
zHlDuzE}pTqMrfrdQ}ombJ#f7<(9$C1nXW`fq^Yg@2K!}%$u3`8#rBH<jo#>$Plntg
z*?y8T-C`1g+k2w*XyZSB+urt*10sTmy(0z#nsdiWY>$n1Y(bY@zJpCb?W)y~<gD5Q
zN!Ka^B%W3Ac=lVp0fFYPUhCh9SyWexerFY-l0K<(wZVVr2hvgL^6E&uul-1@&q~2Y
zl9v^yiPTGutmrwBMqIvq5Pj&a8CTfVWj9tTjvd|KF&=4BZ&tJ>GE2IgHAe&TTa$#+
z>1$>&Ft4c~W~pyY2eC<xJ6EsMqmfz>TV`j7-h|8B%-2IKp5ADE4&;8g&=tUO(;;0^
zC>&QqZiYMza(~#`x})_vFs=_{w;s|JIHbU}NlUx0M(blC%|pspHANOYTksr+QZ76f
zd!Ge7m#WVNCaGp^oTk7dwXB_M_n=DSc(lG11`gGr&;iG7;2M>SSm;gO=WaaX_A(ZP
z3M_bbsm}$hf@bft3(qa;bD;^(r@YS|JY#@Z*&+v?yTlA>Rd(WC*guM#=u@^MVS!x_
zVRH<2A?|2>;~`z41-7_Hj0K}keNS`*#!Y$d#xv_W$O~W-p;Mm=h4$X;9l@9#QAHQZ
zgm?686?i6N70hCer{OQvkNFq6e394cPIUGWlh6knue{kS@BY5L2zwN>KN<D|d7xJw
zCE1EAh|umSjwG7nqwPLBKNIKG^=R}yYzb-{!fZBsaFAhIMmAwq{gJ(J;23sE?%f6{
zez)U)wSI=PuC%+EuYnnQtzG`|N%&*?H{&Vb$FL^|Ju~!Ey-VMOlVmqb*rnM4g<a>%
zhhP&5n`vH~rJPNl*M_~P7-8ebY?2*9@=cprg%d^<Fv?;DV2JA-E=0q7Qm}$`)@?JL
z*ur{IX&drCBJV~%z;db98iVbn)w+aqwqLYX%pgPUc?ahb;%Tp{*`dKwKKtN?>3iDH
zKj<enW`$ld+Mk=U2lOH+OFC<3Hz%#511Ctg<7?uPIv<jPoX}66uiiJ&N~~MFu1J<c
zDR;Etr9z8#Xd+L`o#S{Zfp+8kjIli}LCQ?sqjLybUeZ}u|LkFM)Z)TS9C-;_2@a=P
zW+x3DGT?f7?NA2UBc&fsnz_e4$$<#3_Bu5g>{La3->{N>Qtjaw*t8zbCC-N09W3zc
zhm^oeYh!Q>IBOrpF&O&rQB8y(wXsYmWj%5bn@8^>JFpc;J-P+^U(KTjF^9(=eGWTZ
zV_gxtWxQ@Z+itRcc3?hx*9o`Fmqs!AE><@fx7JIS!AdK7CKV*$*)5IyY%V)(ADc6^
z0C$p0A3!Kb#>cj@qo)2bwu!bq7CghCTL>q$Xii(O!6==5Y?%hfu<r4XGzRQ%k3Wvs
zs_To`F;Tx9J6h-yY=<`C*C~}gF&EuZhu;>d1;0a5AAV8s69$a0-;<MxZy);mZYife
zL`r(f4+iN^%|!>~<2OgDc?x@|UTS_SX8t((>B7WExD?z8*v5;v@QvpB*;j)LYT(B3
z^p|?AH1^bvd2OJP32Vm-><v`#Wh-1Q@s~Sb87fsf4b!bCi|;|#f7uqSPm@}lMVLH(
zPapQjUGU07=sbMTD!{imOf1*a2JG6sPsiZSc=_oan911<>;hzMSk7A45QFQDyP;@G
z->Kl^*{=nA+)}#q;!J!L`R)_E9!9bc5~n7)d^$08U4fC8rEAiEVOC#koQBCQjUM>`
zBhh#C92;*JjnhQLN@wV9HVM+22G~W%@0lcGZcl$^ju?EbPj(+0MjAyLM>;FJf3B5m
z$9BxG8=q|P!A=s5_jhXw5~{X#3Z}5vf-kVZy3yP=S6~Dt&#`YY5Mw{jMQ>+4-=K-q
zO2f}z)kMZhL%&GYM4BW&*Gi0Oj%yo6v(;t5aJXH&FeTEC?+h-AeGSd%i8;;oa;po^
z?5vPZ9luXw&`Jp>7Aq6V)5o>|$$DbejL2B@<=zM(L&nLAYsHC_L^JLq4%|oDT7z6I
zJ(EwjIb0_HREN;h>)XxlOV$A&wuC${z{!v_cH$&DsOjWEOp(CmH%ME%yZI@C?zg;9
zM7rC1Usy?IvR4c}7Fxg+JzgYGAG~%cW2bLPx()ZP&(<}>n%E70PmfQ8vIGtZ7Sa<H
zk#IQHqOr^4-*iWt2=cFSUn#{^<`VX$FW9qG-@<MgEiD=N9cfuGHNw~v6Oq6cM7#c1
ze<VTO=<K+Ks1qIR=@E`Y6`^nV^<4WJ76?wUvv6CCVA$<F&MU)SGrj||QOM#|nFS3P
zXSXN3BTd*9U@srXi)n<Gli`jxo&y=)LvPqMLWX-^L@4q#>hzy+TG;|1KzlLl?7rOh
z>y2!Fg|)IKrL``&J;KC3!Lb08l@$<?W0yZ&xe)AK1$(dxFq6Ojmid6)9<-9Z<mw>%
z0xd0VZ)u%I=HuPr>w{=dC`@+Y8RtagIJb~SAo~^crPA<k*h~5NZ&qmxx^~mc;v_7m
z%u|nJ`*5EcoZiy0z=PqCpOU^T5Zc@ReG9=<)po4JI?L{e))Z=`s*abiNww=c-zUV<
zKKk2u4RN%Gbv-u?TWII+V=zfPzYm$oHVx&kw(b~<A8Vdn{s;R|6)Nfaf@c}hpnit!
z3Qz}n)wq5d@V?j=VlRdE39ptl$Ov|zL2ax-&JcqG&IFuUQEJK2F_d)Rc_HlXLqB!h
zv>UwwJH6NLbJ#h({;YWB?JmQPeI!Dlt42Lgvd%7q!$LT$_B!|o@=nOM<12*LEBg~<
zeUPyaI}<XTjs}ku_J=oos~dwaj7!6Rh?!Y_RHG+&cO1p`i8J9J5?*x$MH}|6!G1#v
zDTekRwan_F-+Q!dF3IlxHreeSk=+Buc-G18K|iE0+5KKGI04TrM;c5=!k)yQ&uUfu
z`zXuo{<k#sy)$0py!O6#|4uMNT;Ik@o-^^j<(M`4cHMujCjRB<BNH$-9^(*`F;*^>
zzPD_W$JiQl{EXD{-g3-`i|_qW3@^uJW*_Wu$x(K4Rt|6GU$R{yM>;c*Lfo$o{@&N$
zg{vg%GT47{7`irTXeb`j$mc^?w5NTzj4X=~+>`XNn2>!7VdwRSHBo4`%a<|X*>K43
zVjXC~2UusB1jB<EGM&`=5%zMEH1yFNwuz5_v@#;c9W4lIeU~qxJ`d{m0pnV7`8?*A
zQOf`L4eYt0!%J{><_xo0-#DC$^KxYPRgDHG^s&$4G=-s3-)BeJc5U(O@VB)EM`qzv
zapLt`dm^x~uHEhFAXwdX=X0@D4xbNUD`@P(r)pC$^74@%H079G{wqFyD@~zlQ~vsy
z+7vy)j2xBx{vyGN>n{&z40<W-(h7unGxX2rz$T~Ndg(=icmqdr=Qr8q_kV^7G#h*9
z5hp(0sBIqk11d?wGuGG0Kk;mCcaD6m!TPWJn*l{z|2Es+0#yS0-otfu8)Pvshg*3Q
zTbA6gwn8UCSEp9-R}6bZH`B927c%x0g82+#!;A9i2rHZ`-wd4&Wti_p4~<BxF5io;
z@4UPVCyV}zN<v248^2uZGo=ETBqMxirID}RpI!m4y^th9qLX_6nKIp{C&m(r6LA^d
zIszr1vD|Q!_^<8I>w_}JDw^<eeH7Og7FA<_%P3Wi#h{*JW6J_8XC{iGxBh^anUVI9
zv0SnVmuP+3p<BCg5MEmGyiPgRm@LaHTgu7IURf$9EA`5fI9YYO^U4+t7T3u5N*tgG
z-~7TJYnLy+0k=&!Om0Jmv8Lg0y7(GouA8!gamfA+vT9Ct5wcduN;#PuGIkv|bFwbT
zPC%B$$uKAvf9?#>;Odoqbv0>eZ@h}@P$!oC0en~pz4m)tjXc-d=Z&+N?DB<IFi314
zWzTl_YVkhfP{FOD^E-BF9QrOM0`*=wq_)F?uDkFY^cJt}Q+T#Xdb~=uNNLxXqX(+4
z|BgM&9~0-1Ktf5&kyi38X`wBIe2vVdAxlUb9nz2@P`XH#lWtlqlFvvVHTw|k613ij
z%qAY%;zMwGrF}kRkc`q}zGT*%NUb^oe}09HfcKb1_<!Dy@b&bpFUjQx`TR<5puB^8
zo*#JcAfM+4-aE+W`GK#dHIooiHEo(iu&iho%j&3S5=lbzy2&IYoUMez-j%>Q3mYW+
zo9v%Apo5w^GAEOlHJU;b9h*YlVR_e7vOHYrSZAQ86c@95a4BG?Dq7>2ht+SPfz!|%
zr8H|A*@nJpo`$;W=-FvRLL8-jWXt>^+`&3gWsq9zGwgQ}X*jk*{qZTwEBgc;Q%y(w
zNc>DQRQ}#0n5l8U`0NbS4w^8XtPeP$?~S$iy%2al7Tce(B`7kD)=wu-g;(^%{KpXf
z*cHZJ6JH4QbmJAx^-_?f3pY(IO`Cy1s-xx^WD8rumQ!$wPiT4_?V3Rj5Eo6og&ag5
zwcUaq>!xRKA^2QKuQ3{;_;2>lk<N}T9kFYOlcwKFqH*KxD87}51XiViWWB}^OFIL}
zGL0dPjs=p<*ez*x5Q)?nOw<-clBXI%vBudgKu24H$X2{XQEf1JQgc#En}U@Y=M2GA
zGt;pUOf@GphGHNsG&_`3OwUm}X}A-`OKD#yF(_@&qNAR126=|)cqmDVK(h+^?DFs+
zYgPlq`1UEBn|vC}_sZSQAXJn!6P;kAr8CL$={DxG0T%FCP1|OYq<P2OdP}Xhs#6d<
zyw7-rWnaXv9C8Mquu-2`B!1p0nAUjJE~vY`&s*?3bi*`n7BNh*sg>x34#zC=I4<wh
zFN~y2SHyTt>P58Lj%<ja>TraUxtc`913a?Bw$3hpoWcUYyjA|o3^tMq_8lB8Wq;Op
z(lc|>Q*9k1ESqj?RIWI0&4t_04qXJHnh9Aq?q~W?ddfgj5L7@xH_${!4P^Bcn_d18
z7c6}iHAP_%a%giD;xW^qC=!nj^O;9-*)i~OIBfLPG7mM?(Hcle6LrsnX$$p<#*FEd
zM*lmiBPW_n7H4+j1J(#;{Y>L&`3i!zVf^t~-{S7D%_m73Oe<GB9E^61#gp{}SM!d{
zMDm6|se3JhoSa6QI-2h!>u1g>G@{{ugP%~x3FVD85WaS+e+Vedp}Jzsoi?g1A-hN?
zwUv<jGzDpNq=an1#7x_XiCK`<QMZ%zuBW4G7r~{vts}6EOcR5K*dM&TdlNd~W%g$t
zeMhR57<@N1$^8$+%Ki6MeLwwAvinD2n<@9--*(fs+NnN2kZ@CWAgiPGUh=Uxy%%qe
zdVF6w+Z=ep+|jt7ygikg9wcdYJ+7PmE>!DEL&}o-gNlU+MP>n4Bh|@nU6l~2$XdXi
zNO&!V%%I3TV1#oVeo!`w$&QC28Ieqi-8@AGf5&Y|@CiGUBCA^j0h}K1miuq@2tQGT
zL*Q|_|AbDF-OgkuVsQ;&IRb<oEjUD0(wv9LWK0zELu4g!&|@rf(uHUgbsZu;T5NQz
zgo{Qo<40@BZCX^yMBTI%A{-{8YL<Ffp=vejVwvY?Eq+I7W-Ym$oMc{?((YO^RdZ6u
zRpC_poz!!puT+uorieNpCX+NLO^T$${V+L6f?TqD8~SFOM|S5sWcPMGQa7!8l>E+~
zFT2arkgAcIkWR_&iYlZmB$!q-BaO*!n@M&bgzZ7R4LmRc?n3g&?t8<K@{nqfQ1+)b
z<gnkTMT$bIMS|@<$SPr5S&W3bD(jK(=3uYv#RD8w!k`MT9#yEIDjUg)1f!~9*}WeH
z_opJ|Bf;VRW+ar`e^GYd=Ytf5l!*lWeYHrfNNyzfJm7}}{eg5OH0nSpk`oD)A8^Zd
z_km&AUG0NpM1q5Aw7R-kcGp;tP^cyrt-g$0K<|vo?)wqcK{zOPLx#$#`;ef&KNKks
zsTB#b`!AxWQ09Rsq%0&W5?WrNM}ps<)*v~x=z=gjq<6S~MntXMCcFPLNAB;0;k$0+
z4saLpIwa_ZVpZJ`X8cP=+5N#a<Z%9h2YHU{{*xc{9^}l&h+5_&Ru=v~gzUE_+5Hg~
zEGzq=OD+4MSuOivz1(kSg+Hu@p@94p@@}Ld+1;W=?sfPnWX$2G2=Mhz<gKd1PtK?g
zKTTI1e&U3_8~P!+{|y9r5f!jTT)YfMuonWs&|kpL!h*lhB<CuTU8qH6CJ1cE5y-_r
z%yQ%x@=(yio-LNbBGuX7eAHk*XTiB-_m`-YIsF{Aoo?jC9Z?eYYCH74=(RV;<$fRZ
zS{EAWdl7jlax|pNj2u1Pm4&<oc^dLY_&^MkSfI>)965SzvI99f!3PcbzxoMgj^;22
za5QIB>9PLEQMO9w&`*z&zhLNpq}OLFJ=#APfuaZd6GKrRcJb;6^vBnze&P@ydayqZ
zjE?J%>r*<eKOUX%RvPS)-a`5KFxGj<k=`;R!PlZ<q%(4V@)D*~{y|YK_pcj~`!~SZ
zhI}SO4%u4{xqq8m?k^aZ`|~{=RZYZi(z-n*`^rnKdRyuJm3m|KylVY@W&5hsr^>Pi
zN|dLma8XuXR<*DA|6|wj)91<K3p>ni@``Uzo3)^-q_XM})cU7pc<_-2x3_hKog*=m
z$w)`$C*<08|2y|v^~p>0$;M=(-k7#*VM@nc%QfqhNIrG#);vW{br|<(KJX>ARC})`
zgS2*J-K#0Oi(I6wJ(}fHy5)hMWAfm-&W_O@4bIPFG^$sFzc*5AujY5eM2&B2zS3-q
zqEYW?21!fD_&b`MyVDDbi}%&yk9zXp95;d@a{tw{@&G~KpEZKDa{m{xa({oP-0#*E
z?yoE^xo>BAonk+CoSOCGW{p0Uw&}&yQyfb1L4EDf2r*?!-vrUo2+=@yM2NRcjqtf4
zG)9WE!@HSNTTxkJQ3QHrFv6s$`}?D0c%f}@Grj72BDhMKe(HN7I9fu+XlbOlBQXJi
zV&e3d%KhhT@TZjr{ICk#dXz|#`@hEOQgkM!qhpccqvQ;&F^EO;>gB=pWAb2>pFC(7
zN4ka*-}?ty3!C10#1@swRJMYmJq5c;Dksb!4?|)&g*rEgarUSLJflP1x}1%7<ZQ^z
zOSG0%R@Ez=7nuefW<Y+;4aLvcAVgW197)K%J2&r+bxM)PflOD;bn;;ASmv6atX4E?
znMPH<t#zUvHaW{e3aps0`y_ASR^$Xuim7&<Xqci7_Fz;EO=ZX$%(P9oEQ*m+=dn8j
z<2G79Pn<hFPr-qhGl~OUv>2yBNi}a``8M3?kj<w@pj%o4b5S0QK88F&9{621a^;^q
z7=s2xUq%|8kWJ*wUg=`3Jecg32j|yOeT*19DJBq_F`6DDE+<A>9V4zLS+qMwT+43e
zvEsIQ!|)(7FMIdyPb@2CQz@2puOf3OT^E~8>tj(OhYrPx%jc!b{U7_u1H-9oaOA<o
zST(Vh%7UFGRrlLU)Y%=IPt)d$4{GLXY3F?LAZetjabi-z82l1>pa7etTUS(CW-Wf0
z4NY9CDld#;a$CW^l5)1t2jj9;`73@*zN@6lwy(lwEh&GD>53Iyzq?r;NN&Q^OhxZx
z(_U1AE7@3_xP@fX?09hl>7~cwMT$4~)C4hwSZQejnvzCOC5RbQY85AgF^%+Ef;bnZ
zVTodjzefqLpuD172`}L?wIqtOaVM)u6ywp0Fj_F_d^#%h(BVWe25-JhH0OeuiPXYY
zYvSILs?v&L@AOMNOLG>8x#)@J1>ysm1$wGaLXD%;lq3dgl62IZByQCt#j<=Z{aPp9
zN-rgeiP)?Hjp7FXi)w4JxRsVhH_|GjxOTeQaTB65MvShL1}+p0*wxY&iqV>dT54IS
z1YN&Sd^{-M+g=Raz>v4oQfWdmwv!P>HDHC<t*fjm*jJTUWZSPSk>pTXoGfOLRN9=3
zxmtBJ1-(&E!&1cDDNfZR0;*0Cr75Nx7?_H!Wte8CiVHNUVYCLAsE#MwUX(2+HAfy;
zuFRsc%EW5aw{w4ak+;86YpEwy+=YdawMbl{SrkU=7Kuydx4^%EIftdR2<u?cFp`JK
z_<xYqD{BE;%HlSrDcW0XEh{fkjG(=Sbdg3a#?aN%?8V|eix+F5W4nzWMc8!H%L4|N
zGSSf;*l9eFJ8b((*z9~1wwQv8Yp7?jI9H8{xt0f)7?Dux5<O%7AI#4vF`<HGSR{f_
zTvoX!(OOVgVpZ)>%7hd}OP7et6U`7RJK4^%^5R6)T9sH@P+n{;+4nT7dr1}ah!;Ed
z;F5gmULqcx-pGlnsX0w-(4>XY%W2{coPgO&F$=m>s-{CrG54})_7)7z(mq<V1zXb6
zacasFlQqkt=rEHnGgCja7)H-76C*W?LTUYSv6|YJW9a+XGlkQrbSyI*0_m98W7N$u
z3yr!Bi_S%>Zo`g~N!xCNiK9ciLJT3(hi*oA+b~VYz?>ST)(kAmbn420=PcTlfjGzL
zNQU@+xQR{0;*z3@;*!Mu*pw41iz>@7;n4mJ8$D}61<f70pNJbYSlyPDr~y0NN(^ci
zb+ODw`&iaQM_JZQLo<<$P*WxrMy8IIGEAe+OjK;4t&D2uS(Y`^Ynce+42``5{Zve|
zSmvOmENh{4EK8*=EX$^SEUTg;EIUTEtC025Se9L;S*yf3n#@323Y?j)o~PIQSgYn$
z7!RW}(2~q?>RN?55iH9PEXxq=YGep@HG*A@U>PD<mRV>g%kZU-W%wMBg=~l#vtXJf
zP_vT9QU?>~&=!_eQ#Z?8bev^<RKEt<D9u`fB5OjajiHG)v8<GKv&>0HSk_5(cOvu9
zv^#Mq-|1Z@tP$V#q5-~W$TB@1a6!PlUsZLpkrVoby#Cma^~t=x_s9B_n|k};s>?q%
zNWEz=xH|C1`bE5+8-<Ag7xVh!AD3TpLyyyUbv-R!i~aQ!ty_yR9;Pj8F~(Uww2xr|
z9bs7>)n+5Bp|LD$rdcdILrb$!aE#Vxqr{pp+RCJv^bE_a^fJpDsoy$eT{MAZ7iso7
znBM6}t?R_u^VQ9MFcZ7iooQ?mRbpExN=Z&E-dm8kb6-h`x-{0AY1=w6<_-r&1&8gu
zxVO1=c-AO9xb7k@xo)H`u#bUV%M*)Atkz1Qa({X1UI=lULqpf$Mz?O5hOHN8O<Ipj
z#Cn0IuNRXR)&5{ndiU$~-so=2QuK(Z^8WH7Y;>67>+`5<Jr<dbb|ITruLLq+Yniaz
zTVP8pQ%?2uEnZz8wJj5aSFC4q42`gjcpHKHP!B{b$PG<Mc}ST^S&ESRVOP?LGhhR&
zQP^9uw_@M@stHOIBjH}NK}=fe-Ak2T;ws32;~ZAe2-0QFxAF*ClTtw}tk{J~VDCEn
z3)s2OSCoU(W5X!aw<!18WjT60EB9LDN^SDsU8m&1yZhj$8L1Je3A*q7gDg|2Ee+Pq
zOjTBa3mbB1x{=@^hg}#al^5()&pC`ZWEYVz+BsbmuQh>2Sm0uMmk%UkNFMO_<^cYe
zK0MwPg%pT{F~3Wk?VE~6J<Y!h8*a|gZQ`tZ?kZIs-S#hL!(Fvry)ql{oPf$Q<-t65
zMxla@aJ~^iY}7L5|DmQ+6XTZ021cmFixbOXosNXiHu_P^R&h?;#(X?yBPBpR9WPg9
zMI}4fC6t+?@f#gTRwT31_&i9__>C?kCsGagdyOZV8R)8wy-00HtUG;*tQAFj*y_4>
ze@S_fGJUYmZN%MU<5{F`dTpa<@WqncI6|XxaeU_LSP$8AW7XRJRS)H6di6>VsVjip
zd2@?Z`HC?%<C(l-f0g&bk;@`R3o_J$5o@f#itv;>S}vP1m{!WBHl>)}y+w@B<epNG
z_S}o=(VnMMkM_JwcC<&v-E|6u(6O5_tMbN>E+UOE8UK$B+r*G;4rQ8>N*neZ)kYrN
zgn`VvOcOSVG5>0J*c1k1M1FI3xEcATboCyx$*cyusZI@c(<wFBO(PS*%7a_3u}Tpz
z*8b)?BxPl*fvCT%F%!XV8D=tTi5e?3r;u8ZoYcKp4DrQ4Z*HTPH;eKAD(=l5IQSQF
zZxPhEx8QQS1-FH4HS8_bEbJuG%Az*RS9S&#hCFCCBVoFla~SjgSi_W{L$MFEFpU*+
z7?#yYrAT?yX%<7Kpw(uy+H9k33=zK>%`rDpw^@ww#e6h((Q9VB-i)YSd3UH9)7_bB
zSKeLCf{LKu+$~O@vo%&8+=>dfva$KzKeic7^x-x?rm83`t6({-bCA-I@Q0DDxcu7i
zXhAYT`#&tft&Pw*kgUoQq+MIZX}-;1{2^y6?tPtDEVJ)+qcH2`f3cfvWt;EKQNX<!
zto)M)x1}Pn7WfucR8(Q1R<I+C{ewJ*R&5ja1X=eM>?ujCu$7b-6k1E3U`NunQaZLx
z%$?o~L$(>$Lexi{v0@M{%NG~U$!GH%2hX=o@4*9i`8J1goaI|-XFl#t`C-(9d{%xK
zXH&lqYu2Q^H?C`;`t9OuJKOwG2Yc(mnZ2`epQ_%@de&DSnAynWWxL8N_LU?S?=0AF
ztx`hV9>wd`s<(T0jqR~0a~3`=_zZ>}WKfGVqP|smd63zBQ7ZS-*SCxFl=lgA;s34R
zqki{@NIo5Y_xS4f>14M7U$YIRNXO(qxpf_H^^hEmQFbp(Kti6{C!Z6Qc`JY93-jmj
oQTw?}q-?pr2hHojMm|+$Q!0%54Ei3%J*RHamt9@k27TN9AIJ9O!2kdN

delta 20096
zcma)k4_s8owg0_)L03ex5dJKJdSOveKvuzsin6IBVnkg9l_=KbpJGJW2u2cVc4J6F
z654FJ)S)jlS^qSlDNT972Ac5V#?pkgG`R>(NkWp1l9bobJd*OvHX+{koqHD@<L~!A
zZ$F>2Gv9O0oH;Xd=FHr?sJAuJ+ZyTG?RcB#IBtpz&M4angUB<u5Ln0H0$_o``M?2F
z_*4$ZJ#XbW*f~Ra41R@T@N=L)eM;ZpbVOx?p`T(f4SHWRh%?Y26Y`)bIdBH>Oa`X|
z2Q%0VJd44}z_S^g2z<*m>~KcKgJHPFa7Ky1Aq<WI4rQ<r_*Mpo0f#Zz036QXVBiP_
z>wzPuumd9s0K+)N0Oo+Brf_Q3MAVDnmzp2?y+>UpgVX4PJbFqFJOLcT;Bnx&Q`q0W
zooPP``Fy|Jfi*FXfFVvb0QLgMGI$s`j=@8~CI$}z$1_+4Uclf!;DrqC1y0bgg9e4M
z2aLoi1ttb^5Ce-K?}mKwlpMGVIElgMfRh>A4xGZ^HsB=;ZUs(NG5V(toCU+oD7b-_
zGPnhJ8H1aF(-_<YoX%hu@Nxz>0N=*odf*ilJLnf2r~@N|QE&pUWN<C;DhAg8uV!#H
za3+K8z-t&>0lb#M<-l3Mj;Ww31;fH9*nn?ma3S#b7+e6nj=}lB*$lP<-@)Kq;5!+d
z1H7I`|5FZRgOS51Sb#S$I1~6T24?_oWN<ogE`!a$n;4u7yqUp?z*~5_{*;L&hzG;U
zD2TvY85{$=jlo9XJO+mW=QG#<yq&?pz&jYM2i~c!KV`y!05A#|1rGS`>o{@}co&0x
zz`Ged0bI!7ao{}+9s~Y9gGYfKdl|+E7&Zobfr}VC3|!3MA>a}Q4+57mSOzX*a3AnK
z2KSyYIK=%7qX!D*4E6vYU~o6^Jq+#wKFHv6z!eN`2R_8$HsHeyZav{Jh?NZEEEMbv
zb_3tb;1=K`3~mOlVsI01HG^HiM;Y7zd>@1B9bg<|7<Irk40ZzF&){0%2N+xfe4N46
zz_kpv1OI@*6~GTN*ijA!6NHhaz)nWN2K*3%3xQ8CxB&QJ2Im9UG1v<H2!nHhAH9wp
zkvU*IcAXKK4P4J)3-IF%&IEpf!5P3$GB_Q$fx%|rA2K)@_(#{U!x@<f##7fA&d7LR
z7lTFMA2T=xxRJp|V2QzDz)cJ`0RM!+!N4b{FwXx-Js4z)0UQ9_%wP`qr`K`BB=Em6
z*a!SHgC~Gn7(5RAGX{?VKjX*r{Erv~<5@;w1lY}BFYqY_4+EcO@DT7B1`h(CWv~qV
za|ZVTKc`{!{Ez4b<9SA*2e_5N9^hXvxEuHd26qAflELSI+Zfyq{3`~x0l%nX?fj2u
z1>@I@!dc*U2D^d(oxv@@FEO|oxP!q>z~>n30{#ty8-QP?SlxP9f_gAI8HGCFE(SY+
zf6L%n;8z%21N<t3tAV>2YzO`i23G*T20V5CN0ftco>3?T_AuB6{5pdRfiEz)0Qh$d
z&Ij&cuod|C49*39gE{{ra=>_#QOE}FWv~VK4-C!({v(4kfd9ncbl^S)n}Pq#;AG&p
znDaj(5sbGPg?M0@!6I-!gJXa%GS~<_z~C_8K?WOu|H9y4;CGnR8=(i|uZ%(f@DPJJ
z;CHX%@JZnJ80-UnpTQHr!wen={(!+_z>W_Y#wZvcF?a;n%V00?#|$0@zQo`m;L8ji
z1Ri0q4Eza$`{?=qDZ}W6!rvI&13b!L5Ac67xEuKI4DJH{jKSxC#~9oW{0|1V(ewXv
zhS3Uz|6=f2;Bf}KfxlpI3-Ff=ZU+7*gPVXS80-T6Zw5Ee^ZyFNs0aRv!F9ks20MZO
z#o$`tuNhne{0)PvfhQSk2mY49Ar)X;Wf<jBt|6N5mdXvs_{Eafkg({3rCAgELO^L*
z|6St>jqSB?^G?4MVe{NdaYXD;W2lYt1|)Mxq~p&(JyaW<CTNeM?0smI<9>GeynAKV
zM8#^zT#<23@EfRQ)k<WM5AC|a`w!X+ZI2!-zz@4Z<MdNK0sjViT_}G*ZA`TV{x$gL
zLb4oc$M>O;k!jQlVLO!U-)VFj{5HR{2hc`j+B^+etKZRLIL<nH7Pcfh5P#cUXq%|E
zovF=-8wyWK*3d}DBQVnvvNlU`D9R(QP}8K}XF7%lA#2ufTn6w1z)jFQ?!r42Mz0!t
z7o%qfZh+ps(7T1vy9fMwMsHtZsKZtV#r+{`%^ag>gQ9=()Q$^*YoWI%gyYzbcYt5R
z7~BS24ZXbYbes#mozcqyu7KW#5XV}M?f82TlrxHJflHy7^_`A0z_&4a>A;21TmGGn
zmw;cu=q(1$hh9?1T2bvc-xXOzr#c=2E2Ag^=Rz^|I~~sfKZnta0M6D{dF}^TWg3zp
zQbt(Z!g>0o{s2h3wlC)X8BwbR0^-2J%~d34SmdUE!AQE_h==Y8wF50u%+UIx9d(Ct
z^-GM-q;*c6p8FZvCHvdGgwAuo`&1eUGx4uV`tT&j^FJQt^mJdLt(y2PT*f_gF9W}&
z$zChBaM|i9)P$I7oPM4IUWI-*YL{Zzt+8+cI#25P0LV%p<6kjwdeo~?pVnyL=Kf@{
zXrTJgZMJa2S3g<iHaMSm*!VanHw`l=YEBAYK%vX*<Y*^lD=;lW)|L8K(3yo>uvRwP
z(9u%$fVeR2<8$crjLg~WT0P@2*=WI%O$4frh1$Fr><h3ruGyaZBWxZ$Bk#7X;O3qN
z)9hDx6m=}!H3Kdf_&4zEe))r_*Tb<SsXQXdadpsW%b?@ay3aOyjW)fIHDNnpuyGi(
zzRSSzJq8QsJZ;e}bMp7SGTp}iJk_RKig`F2;G7HVX|4!UR~j%~v&PV(Ch$sK5hb4G
z;L-H(e6m~j+;r|%@Dt?#ueP-!PWddHW9}|AaQR(}g=?~Z;fJ7{2U!Ce=$)rUF4W0?
zpDyapVXSL97Ycc}JY5Xdf`}TMyB_*Z*xHZ!Y*(mgU~E|+t92PT!-eUh;aQJ`4lcwp
zlUsH>HEQ9K1EiM7gp~INxnehh`v~P?UIMjwS@+f@&Q?R`!wu595cWyqkxBe*QjBr^
znhlUeI?r;Ua5It42jYxxoc@|(;np369gKNmKT7m8?{T=|3(UImur@5+a>;E>a=aW1
z4b5^)2Nqn*7h!Rj`<PF#1L9Hs3ImAo>(HRklDnoe3>^`H_V5+4q=l9iF1XMq7EjRn
zN{}oTV^Y`EzzcOkbxux{6XJ$fsJf1IM<AHqs7qB&!p*_yal?&4cCJbHYeimosi!HZ
z9j+%Hq(i{axQmd>(=PQi>M9i%+E87{kGO)&T(codp?ZUm)AsK`m$pBt`!D5W&^Xom
z2GbP;XSPFc2AzgDhm)Vc$SN${_GhTK)a#cq*Rog=K<n_{iv}CeU?y$g_r5n)^?uzt
z@PioVd#^bkAJ^x1K9f4-cfMB+i0fmWcfhN4H+T;PzxTc0@xG6G?_Y)uSO$NpEAe27
zj$?7#P{JWD`g&}}90kAC-zF1nGOovF%wfo+r{-kxIa1%81inU^m}6Rm#1KOd)OtjY
z+F4_034%OkJ9y20L&2!GN|xxwy0~_!BKonENE#px<=b!!RgHeCh`<Oy!&%r}G~Ho$
zL=U2Fki?kv{9{si%*I(ir8~;$c87+Zzxt-+iK*m!CG*@gB-m1XzbG~1`;^p&@219i
zX=s#=?+2uEd>@ip@NJW1eCJ64^V9e{r3`$plq&F@EV=PLUmC=BsHDf+;y@`=T&DZR
zC)x4l)+x1tH7t3>yzQ^k?eoT#*A%DQ%Y~l*_RsXTu>#~tJU#A7EcSIp#@P(uzZ`L?
z+;ILXc6gk++fgq--HLJtN*f&`>UpT!JL+TC^Sn`#;}UqQ<cmv)&BYYW4dFPaL-}Td
zYr2K*=0FQK=MWOcBzW19#T1!RuT4})879hoeXnvsvUo;a#&!g`h2yFrZ||rx4FrTE
zu8lqLx7?I<<soh5FYBd>#H1P8HjMysC+_DtNxx`aNDU6B*W`dApB4wEM5%Dm3OL%d
zD2q>&1{awQAVMZ)z>RW52ethyx}u5Q&$G$k(Zr7P{2C9b*Z33g3eau_>TMVlZXj15
zqUns<0*|^}?w6m1+}UAU{3ajXYT=@GFVDJC2Xp03)6Y*L-ds{<@`~_gG`cuG?a~k<
zX_xAgQ&q|9U*0I`lKPTOGo~!`O1|V&2Zm5wYT+V(kFJq}jOtqxx~pkM#m=6juE9;5
z!lrTPJ>rTe9tH0J>c57I)OA{?!!e+a5RR;+bvk)e2KzSfeg&T8!t~hW6FB?PPyL02
z*yLNYf+h}N+v~6otWtYQ5?>$<r$i%UeJLCHaw&VsqdHr=)VE|AipJEuxybXP)52~0
zZ&$>rA;Wp)yeGltf`K3ysF&=iCcar}N?pynB^mWrX(IJ%gy=z#JVb{?-GLk4H@M=S
z#wU%ExO9iEh?8oTHtIy5Bt97<B`%xK8>F0Nm-!6IlD=H}pmev?o%S%F(P2rC4B*XD
zLB{GCR&*GEmA6YR88jvIWGst_ZTGA={|@coV&wUE5UZi|79|C*oTrQRNy#hc$I{8U
zCrR}nR_{>0{`NVfJlfz^PG`Y>$dD>lnlOIX$`al#O|0CA9cWqg*epG52Yoj@NA#^q
z;4RYRsyJP2uOzPCg=-n6p@`av#myLc_rjJaxmG`Rx7%+$8{CcHdM<2sa!$8Rj61Jf
zJvYtGFF>mV(220q-bE;>cPXF?3Ee&TU5h&ndI|Jg*k!Rb+|>F)cu8|x_!+xo&y1XL
z009z(pzunr%s=YlMy0|v>oIp{*Q~=P8C^rLr=4rJU_kQP)mYHrtY2cPy0YenyBx~D
z_Ryd=pTGJ?)R9TWE@>=lVUQ>TZgz#)3ZxjzmDwVVGYtJ-NRQ&UB;Fng`x&>V&BD1G
z(Q#p+h~fV8mmM{?9~02!cy<ET$9Ts&EM4IpJLe*aC>=;B*x^^4)DSjJkA(|)1`A`A
z<U7_w&v@rS%yQkGCOF%AXA<gzcW!~R@#{B+lp|v5>u^<|ZPBJia;`Up)PINTmd>q@
z3ytl%i9NbL4e2B%XR$6;mU40y>SDc;J!g&%LD7)2FfP_dUBkZmvfaSVVO+#sH{co%
zwZWX!x%8g=(RT)M78-w4HN*{-yk2r`=;TEy=dSge3NR;n0r|5lQp97nE$WrXB4f`&
z(F%SrZjMEm0zChh7!eGK;8Xn=@I#>6>RBinfN@Wmxb=jgs7o5YD|Mys>xE(>xcQ($
zO;XZ~x()R(v>HOa)L+j)9g{}+MKx0P#>Ki~qh#MW-+@;OC1&43u?-4NO`*68hTDN_
zHC#enY4+EBsN<S65snU;QFm+gBHF=Oe|-q`R;^xKgZeqGUSdQYi$U9#bfMlYWJ$Ag
zQ???_mAEi*G>x@mQX^>qLN8KYDB=}JaWiy#fg{jo!G(pfdVk%AI-NT3i=Y#0(CWn*
z9SymABlsa{teEBsxg>JyP#}H?uQQw;@8vCAuju4v0zVN_JnZNDZseEbX#6wz-{I%_
z`GrzOY2~#%^bg(X#E!nQkAwvo7j$9(wlTeDMbqHK!G-{h%R#{Zi9X8U5JrF>IP<@1
z{*=))Nw3~xy+hq37iWt|PM_mZM!m`013Uxx3E=h%v&A6VZ>W>A;Jmqq60$ozu&_%%
ze+W9glJ#KZ8k+Yh2k&Cyyl53nTP<^P%a~SEI+f7zQGMtcusFyd2h*^fhYs$JvLLnf
z(DMW3pHSLSUZkazTakdwQeClvFYjopsGQB$cf=f@&-1R1%-X#=?BJFMx6Hby9g~4c
zkzrPrd=EZ715PQ=1No#DM;cu=M<))6dgoWXOL9IWg<Bw>zDPSMsBQpsol@cndWkAL
z5xuAYtAEho<aWMbu+d>3MAkfr<YYxejlO_ffs>}LHC!x^+$T)9GWMLv;_s0H9!`zA
zN1o<{FJJe#bXoLBJ&3eMTh>Uq4<|sU`r$m}_1=f~QXj9LP<=GlCEz3|sCx{Dnz!zx
zPHdNI9zo%e438d1a%p&UFB0O|qdSrJvL8E+9OilKY2>iN`V#o-sozYG9>e3u79}E8
z&vhuDj$^K^v~yrwML!(_R)=w6T2V6UPO1Iz`Sk33d|r^v2Zg^P&9qCt$9K`wCjSZ3
z0;`4Nj^G)f4jINwEnS$dw)8ATy$%CxkBIY1El;e{iC$^wiT8AIKIz<(`0-1!G?dWO
zp<y+0mA4@w(2VJQRPz2Pa@MhzB8pmp-uUt7CW~bL;e1S-72gGt9pCkm3*YeUhbFA`
z;18$se2p~xqlDY*>1%~Foa{6`((Yj*9H!`NrwuUGti5(n4F2@_5ZuLOq^KV9+cEQ;
zl>HR4vMg0Rl@N&juU>{X5wouj!bUB0Ot8@<bw9Nia~b1`o&o!x+yP#%WO12h9fTI%
zGhO|8dxU9Jvb#zUO@pq7LvS;^LVG%hp32o#EdQ|yNxI?33AjO?`|;k`MA*J(>UE=E
zy8_w;u!h%fqD4w?Tulexn1CBlb7RSjnsX7Sa$k<{I;8;V`6&4R?FV=ujiawXaEb?X
zA<Erhrg*7G`WrStThmPJ1F7pLf5l3=PQF9qrJO9*i9=Eoxd%bi*nE**cLtkNd3{H~
zPv;2{KjRenXJMd3kQo#VvPc;%dlzN+rrQFLU=r}cpdt-~o-4XIOAP$s;FlfqU~`Az
zMD?_MgJtUeSstR*@JypFwo5wu%-6cuA<6yhGF|MrH2CZ~M1aw~8{t~*HX$aO-TQfK
z<EecS#X~P+5El~8)0AG}Mja{HE7hL5PZ!rEO`N)I84X8oFU=Jfrl0S+$QAWDPpcU)
zfG#U!uOn24P(KvQ;So1f#C_y++AKY;EoNL>Y;EE00;%ORji>I@XD~CiGsjUMKJzMX
z>u5gv6p!7P_#AFt9SzT|<D)9DbTYPR=oJxH2Ka<tyVd0!eLgij!=Ze%sWH()ulolt
z1jK54C%H9xkr8*APm!hmflG{WsqV8{JnTf{-Pt_t-Le)M@YE{VTeGlX+gq0eiC%gY
zrW>bYwDnJXxE<5HcqvBmQbe)w0(S}`QI-sCVbbsmGaYx)G2*rx>`;8A7$<!OU99m+
zaMAPa1<ws$l3x#D<)b&O_Un2@NOL|stBPF=4<YZfg6Cm)ec<8ZDE6Y<poQ%0^Ym7U
zz2L*3F${WXcKveOJaNdOe7I{Vd}B6%7i#n#Y;9~?f*Ty21L~E!X+vX?6WXG~)qI2?
z!eeio$Dw@n56qUa!`?QNzoQ)RI3~RpjrOBXkCRqr$Bcsa3%F;*j#7Vf@yl>16^%fK
zS8uTylIK@<>f$^d`WJ<1I97tsJ&6R=d~RS?LFW>$4lSROKDV`Z)cj^AkMNaWUWct0
z*11rJ3s7d~3&?vNqn&T_yrHA(w@EtQ+%fX%(=(Bkoo^=4op@FKO;=8^(J(yZP`<#8
zIIdOlycsbk4zqUkS$fTYm|p&=7&qCtQEB|m$SCB>tCC-;_e*&U7EdL;k&aP16j!7P
zS@H`GCtkd!F+Kqens=9?HGV>fow%+yeg%4>U+?eGv!IUlS7|J>dSlR|Z>r$WxEC_I
z0>#iPhCO;JgTG|_JqR%WSNGs;h2OpLzkpW*UID|SXRAvZ>3uaYu_@wmt914c2~me|
zM)7z|9Y^NHG4q9lyH~p^9r=UFaZL&?7W|7ks`b#DUOf#kMeZL3iHdx&1!ayR4`hS#
z75S}6;8N6S2^y$Y<U!;qS|7A%^0(2J>iusN^mc$>xuL`L$N%Dyx1D`?fq2DWk~@a_
z*7G6QUB!4HGYutS4e)q$NHV{*YT9LQTlnb!$^O=A#6sI!e-h?mo<2VUy>Wlo;Z;#_
zI(RUJ!=>qB8t?4rz4&Heh!uBCI){fH%0KX9k!X|LLrI9Cz9Fc*^zJI2p6r?L&5y!_
zD}Tgp?{X+($LMreI1}CpBY{`HhXg(@x!;>dQ@7{6b+MehkmEF?W1m9Dg-&P?;`%Ul
z2`lN9;@^K2nb!OM3Y@3LVH($k!+AJE+lOD$>2R!<ezaIu)GN6@I!TjsqIYkIh`r}?
zhs9a&RINW9hD&a<x06SjvR=wVnml_clJ1f2%O6sQTShd8iRSQsexx}p!kIX?G&mwb
zwfvI@baApY^2u5_blt(f&w~!vk^brPJiHqITOK?#kItDLH;MsZ5=Q@tY1MZWjDDrV
zmbHFnnp=RGDWSWC&b5E!IAV*>K@pG4pGCt$+h@@WGPD`_PpnI<o$As<5<L1Aq7{ZC
z)#)Eo_4Q-N(8@WsA4z|7tcvH|9fhB7448ps`qT`&T~hm(Z_lEu+5=81I3B6tpJ}r)
zFC^HEIHy+Oksw#<`)A%<wD{W|$mMV>ax)%_PvS~Kdu|Fn<CQWe63|cS#H!GufT^Z9
zBL0BpVn_Q#9>4uC+K!&M)q|Yy>Dp)TbW2A8p3l!)>F43DEb9HdbcSd2^HLdJVn@N1
zojOE!yKf!Nwh7;}4x2+6c@-w;o2oVFq7p;HkumZzcvgmoq%rdE;3YCV?BkI(@bEN!
zt*stB+@?jnpGV)7PJoBJYw|HXFL*z5h4Lopvr8$G<?Cp^pri0>+)~Q1^%5o5H(PL}
z^M3OtZY`~o9Sd5iYYycyeY+(4>kiZl{B@f0M<wUC^KpZ4f19up-CsGO4abHVy!<rQ
zp5|L><0;g|spR56e=61AcVVyb>T1kP=GEWv1&zx4s17THFZf9{{|#S2>^%P!igF#l
zg0~U3jxPZU5ct)+omd3^Bff^<ugcTrI%$--BI&PVALCcFl6<Y_k3HzwMeG6me7>2u
z0{DTIZf%u5ewnTk<8vJ}yZo|WQ<>jSMAgSfX;hJxKt9jG1j(g!{)J|O<kD2&FhO#O
z4IF=vTw((!QS0`S8aRHJu!^=8bnBOW{CCYIa(Egajwz^{#+&#I(mIV#jiNj3#PuC!
zbHQW0<`r#Zd>W4}*%>^Ye^I9^8YkT|_%~=-7laAa6HgGt1~MGPr}0K&n91+PbXLsd
zQ(?JfCNJ@c#2n1;TvU&XRu|5PaBWgQLShp~aRM1b@UF|x!^;vek+cW%Nl^&Mt0Dd~
zm5OmM{HPCNGnokHH;0~*dlGHI&xL(FggobM4UZiq`Lp<^<{rL~@E=3?@hpZuFFqIM
z_23E4`a-y^8}GWhPR_;(W)S>={!W?;Z0BGTuh>i;Qa77F##_ncZ2mZ6qUILNi=DLG
z!sC@7>7l5ejNZaO&6ju98F+_|w~&Ba`GvU9b|&A-3wVqn<}iM<E^df8!}wKrgGRc;
z_#McXBrKed)5VRGjBtKgP+TvP1<vz052+64cj1YO$l?5tbf>$BEkcdaf=C3Xo^(g@
ztLIwilDO0#Yd<hxKYF!U8pe~H$w0!4eB~^fU9dNXyTCFMmytKoftBFUx%yLAxVN5o
zjC^V=-ORnv8lYos1e^Xk^Un11K8JGUZdW*ZH$-7(L}HHOSI?@XHXES<?L<-&#iuS9
zlto*ezbl%i>9vJ+i>F@tuAF*#S|oi@eA0q3sMh+$Ziwyv`cBmAuc^k&;Y~B9I%)6B
znZrMcTRRzy=F?`WY&;nCphZ__SPbHdw{+&r<>%`*s1{(6o)-wH_tU5YI8W3+%R!o|
zq;J&WST<Hyoj&N*UC^ng>wyb6Wzl9Kjq1+!`3T!tl}+lk=Jolo)7v>D@<cbq^WaWq
z>Ls-%J`JAY4Kd(2=`!)_XJF{>(o2<(=;N_m9I1$hlX~Kg=aVpteerzW0_^zr=R!xu
z`4R0rtNxM}N%t4d6?>y0mTL-iXOQd#JPu6Kya4SBNZ$ekTse_L_=L{rg*-BporsJ0
zNZ#3*v4~IAAqvZr(7@f<oy2d(Rb!|#IE8;TgwN>gUCW=DiCtQ87r!}5SL7w#B^Vz^
zhDs1tHX@hu`(ZhwjK5E38zt>!Jo5C(eF#~buhY7ZPO+=AZa<HUv#oQuoS!L#*VA9t
z{pri@P+mkbh?P4h5AvqK?XuGUfKBPYukA+qfASKcTdVZnKYCrardO*!P<owr%-LCe
zFaN$UYZ8x)BHqgko((&#?<_pZ|31he;x^g;><|c6p7kmH;VoP&<+%+Y^x)1=WJ5I<
zr}7Gb%Rx0N&!qBPz-~~x+BRP0!3(z+G_L9`puAJCcS;1oCi<|byo^jRVDyw-=?^n<
zx2w#0;8u`F<$X`(4dGHljle<ZsrAza^2HC3bKEER0AhWJpN{w_c!*!en@I~TEZ4<)
zBto=4Z6)z1_;uvghxj#mi^j5(Hn4an8P|&RhgDRg72ULOovg#Rn`GDV-y{1@@N4z>
zmr>N5hv~tkv1EqzrN;7JXA##U{50L^ah204Kf<5k!-o`kH>R`D2<lSgJp~{iseg?B
zouf&S58FZQAQ?2K$dzp%CkU#Q!-{NA2GuC?ap)e$z5h6#3G5S!e6JCd4{89N1EK8?
zS{3;S^pD^<;7B2;8wA}d@T#C&)dE6aRXrd)BRHxi6}cLQs-aMghm2};P+bQ)3xd+o
zFc2CZtpGKFVDRWL2<`5R0cC;;LA4;r@9PGQDDp8q2sV#pgCIXv4Z@&~xk0@kbY7!Z
z9CA$<Dw&{i5De5{)HTD3T-yvnqgop%9+ZLENL1we;nZ;$sMLdp&hF<xkl$|wHGoDG
z`2p}AhykI^1BD<b=qv~$uPgw;?hnp^dSS$ok4kl?{5UV@9ik%t8L`=gj{c-aX$GD^
znE`@q$fn7LtV;hcyuj%weJG7e{|lTV|0Nr87fNcQS!?s2M{Dyg<&7)yd)T(L?Yl!-
z+jm`B+jo1Eeg|#*ZaWm)QI0A7zs08cZM`D5T2T58e(2K-egp?!DOcnVM>K;U251I9
ztkw*E&<nX;kv}q^gp(uafDYo5c%}bUID0u481l==FVy+VvXZBIcDWmZaWGm@!jX|&
zL^)MxKtltq+ib-pnz7HYyXkCwCZe<|^5^K38vQ$TyPPOnI^!jNy5NBGfmWseHP{Tq
ztaT?U{nKJl8d2&|f&wwquVQe4UX-IK`(Oihr%^|#z8NKKOz%Qzha3a>zuJkQhUQZP
zFf<>8CFsWijr1~)e0Y-o1WSLDT&z=Pv|ogyn8E%ObWZIgp-$~2ozv_rhJ%>F{>8wU
zxc(&6F>(D#m;}!#N;^ulNy=9zvOg(9>3>}hg01B(O8;#EO8>GI8B|C=5Wx6m2)ERL
znl#=P7<}EV^cSLGG0Hv0&gy19cv`3Y3}3(W<b%Amvq0v59T;9$QB+-4RsE<_>Ho`F
zv<*-O_SAL8yu&9<=es+zKj0_#gls9P7MEp+%gjqxic43lGG}ydU9H=kioEK+NB0z8
z-)TOm`)eQ$RsFrXEF7RY_v%Wv@?E6uf^PMUCgtLV7G+>lL+AJf9nL;GiSN;^=L<<i
zkM4JT7%~4|_oZ%^kHo*B8{lg@eQ)TjcN>b2R+X0Bx9@O0ew0%N=E<Z^6n5z5Pm*C#
zSU-bK46h7`1td9ENSo1e4aUR?Ch}yga7&O#&j(GXFiwaj=VJxKtT2_=-yg5G9Y)((
zIXAG-K5Z8IM9V2Hv|hpYlBPIeZwltR-wG;M`rom`#;|fRxLfI$MYKp&`oF@$s4@$c
z5z!<(hC`y&B$O<$DFd5(l>w6%)CZE$;)V}+wKTj$Q5lF=&og^b$-$!iWmQvZ&=>~|
z5_`Omira=eUWncv3@KKu&}!Y1m!DE`psM<DI$`nYluujc-JO?z$0k+sBp{X1{fRb-
zz1bUXU(d8D*Z8}g#IQh!p5X+<1jc8O^aX-x28|60t;9wl9RP(Dq+x*&7Zg9~$91G@
zfiQnoq6#l2V5~4;SSTdn#;+C?v{+2`EfkjWb+o>Sybi`nD_RK3z(PC9WaZ-TJSf!<
zctao$sAq~dRZ@L**07?>&ME_o3QH;ulpU^4sVX~i-+>bU<Uwl`)Jw_}gw?njoJ|nc
z^D$&BLD<Nbl8i)Q_o8-K6sXlhhmNKkD93IXNThSC@|^0tC5pg2aTW^Uq(4zu#>bO@
zMZ)R@2BrV~VCCX4(v)ma25v)OB&Jst?JKLk-(H4TqNdEGbdm6&E^(NQEE106a%fwO
zHS8s>#X@A1p4wF|79&5&27A#F_)q&^EE3ORAv&CHbcCaPR=K#W83C5A3?ztToEpd{
zVv?{Ex15?JVGACYdy@phpCh(pAq|(EreusSn0S+gtQiHWk%5GAl9(dUCu{Q(VM)Zt
z`LKm7BpXVK4p$z2g!-E7Aq^=)G~YwSr9v3#P7xw8WmJ9IrA(?$^h<;UK9{o6qWq03
zDpC%WRhL(m`eQ7mmDDZ~@Y0OPON0k>DH9|&RhS<|*AFADJxjYhQdU%2r%un35#oiI
zoJkc{>y}JXuoub1VivZ9bZMi<mQ_c-u$;Kf!p2$JoK3NOW-Mqau`Cr#$U3D<g@rov
zFlktds0$!nONA#lnf>EOHoQ3GpG4FLK(gV`feP%LvXaWfrBw~8M@zdkPb;7+8>*^{
zj#Q_V*pI4vYv~wqEfccv2qG^NcH@B}IStcgBROe8-i%VMAGm2r7v_-H(uDhGXjx}K
z<E`M^Nlm)2M3**BTGNFUA)?xX<`Xriq{ox-bl58(!OMmH*df)+g|)i$adK|Cuwqdy
zlsUwhTNzmH0kwn9Q6BpN&!%pQ7-(XKIj-bTX~luVWvUXSGN_AKZ^JU$NX>1+_itN1
z3>ghF5hAZzUNpJYz{dEIU(Uf)zWqoU4bR7*>jbuv;1$Ar%_nMF8CZd|a@#m)f@1aq
zo_i|2ttzCF(gRfoQ!0vz%PKTIv<`!ok2I~oCQT+XY+uXHR!Gfca)oewRyovZcBZUc
zQkNk#>Q;;s<4S~#nbfSrlDkwCo2y*R!b$utLX?thC_Pk^QdCh<S)wlE${1qE$2zQR
zA(nh$v2JA_ajp`U=~nuPoAOt|g?u6A<Z2;Kmp(>yqsW@o!UKHEwfbIS&ctRi6Kf`R
zAu@d?LcW(w(juK$*I-Xp6ZaYn$4G|PKqbF3eJ!@rthVc8Skq1lvJg!@q&W+_)<F8Q
zu=+7%Gz%l?C1Dof?YUv9_lVEZvXrBT4<NghR2^`si;$Il@^;v->CC)c*rJP~v4F{;
z!6X|N>|gpYFqUc^a^5<ub`0sGMK+nBMFok;M$tsFY0*t8vaxU0jgTe^gGqNb97!ib
z6j@K+f$ti8N07C52;mO5*3s2orT-hctEVlnR~=a;(%Z;a2)pbI?PO%+#||7~<oVx`
z2QILeQ1Mjz+MDG2&5Yc!PJgq)Qbu8&c(Z&NE6=%Ep2o`UH_Own%N+yjnr~KEeqCW;
zo#$rxZLECsX88(6o^7};$5K|B{Y#nMhe_gzd?!*J*6~g(3)XQx3ale7u#W4oj(1`m
zDa1O`BAtxTqL2jVpr|A1v}hxRIZ$0cNb1yblC)8FJQ<`#E}5i7HHqJVqJ`wrqK8y(
zK$Dy?(n4Vv>7hj?8KXrh3A+nL1IeVtIZ}ET_SJ@A;<^jFB!{%q!cJsbG?Q^!c!*)6
zFi&^qC^2sYG!QE-GKifPHsabSm>l)jCqfOizy%fTO0RFfS<bHX`k|ZU>`LcwH_Mro
z9w^R9yjg)==^X3La(1P2YHpUZE1lz};|wRi$Q5Q|$9LsoLUP8*P%fsxNPM)g5aT8k
zc&9`Q7b&1c7pd7K%v-#{d)>TjSaPInKQ4h~N2;E{zQ0R5CI_-*)Psp<6Lxem8Qvr$
zl;zVfQZC+$E30fk9k1<x2R3zqaFN=C^uh(0st!C*mQqqyQBlQJ9X*_W2u#Ru9ovM<
z?51|WX(g41>_ycFiYsuu1jSx;f=6|5;o3Av$~WVdQb3&Bg@}2Z{m!gGQr41j)%}M{
z>eU3bIg#{j7NS>XqcOa)<4H(U*>|MOe}~#^^UGSNWQU6EDF+VIac-_9;ucIvGqG$D
zqGKzRfh~z3BPa%~ZuroP_|)mR#YRPk$_`Z?xnEO4iwuxRy0!?ZD|5i4ry`vo+(|E}
zI?8~R8Xg37gFGse`2w#(?Eo%VgQ?)Y14pWl7SSux4IPa@ljhD_NcR>YX(c@~Z|F=J
z*jld)+}#2*HK1}(1vSThz%#0y!RxIxRC1saS6GygG=X5jY6qNlxag2}0l->=*9F2l
zTV2GnO_;OUI)r*Jh@K!ftULby3Tn#-8U+nfxgF0XDKs_!ratIj4>=u00Kq>(4<qia
z$WiemdABepXlo|;h_5wTFs$9`zmRId09i8H8kK?ka%vB@(AQS@w3S{=Zuo##Kec}O
zbb+`kJS@^u8Q5lk6rOJNl7?Nvyr6An@I(-vmbM9zGxAZjfRgE;qc>HfS_-nF@eO0<
zv$L>cwl#z5Ky>~BN^o&Fn1Xn`_h{MS5;a_K&~5X8T0u=DF;6fB(q`Snnum+Twh?XU
z+a}Tc`p~!K8U0w@2U-x*`+i=A#$Ssw6?akucjeJ)|6MDOx(FLt+Ew6&i%cG#sPeJR
z>ghcu328yS#^jCAYfLIK2yQW^Mc8I^f_4OBihDs_pl-@zKXm%1rgr-nm6TQ4ack0a
zAjN{@dq}}{WOx6j&L4-64({5fzJ9~nZqRO6+mp2$*7ibT*nvAvy>`Lc-tBiy8Q3Y)
zF5n(^?v6r`jbipgU7w2co$XXoQKoqYNj<0*R0=j5=UG$_e5~V+I%3?3+3~x*gNFJ4
z$L$@1n%g_ZHMe()+KleZ)%@P+q<+UO-l6Vot&0MLZ-EGkr<ncF!KscHU@O;B2~CvH
z%mrnF62TItHs|58>SL8h4pKR$q5xA-KvSX~??Ui2yO%yuQWMj`$Dj%@=z?-GSs>sK
z@lbV<#Jlmx*RA<oFh<;WW4eu++jr+uw_}t1S&W*2N0Xp25M9O_KH#-X#lkKx6;&1=
zsHCMbuqz%E42=o8&F0U@222NG%Wo4Rf_9aoj;*%KLbsVwohG0fP$}{4f=dl_XGBlE
zQb10y?iM0fdSLwen&9z(_C`O-z-~PnQy&A1D=Vw93oGeSL_d(l6ZdZ6V7TQ_(ZRBm
zN_*MiA{<6Pr1#$4nFN1*oj0o)iZr!iGw*JpPw;on+fCyeN6j}be}0Fh!fdB{8Wmc|
zNFi=HyT?iJ9%12}-Q$do?FhD}MSWD>R7-OA2+{t>TK}!PYG2h6O<d?D&OO4s?-lyc
zRiJV)s)?G>y4d4S0)>;{4dTXb!)rI}A^Jc%FseNY`td*^o{0AdNz0RA2J`cOYohf3
zqnvj4*zMmJKmnb%e?Ktt2;Tdp7!=urH{W=?lTCxlUt~ikUOQQJW<_3F3c@Sm<(%@4
x(2CwT<-I_tKaCgQPuGI#l>Q6ZAVhhPLZc&w1PlZ|%=eM{fk65&***~1{yztOI4J-C

diff --git a/pc-bios/openbios-sparc64 b/pc-bios/openbios-sparc64
index 99420eb815a1675df80e837630a4284ce5c4e1eb..dfa1f10bbc140d78d56451fd4e5c73da13898d5e 100644
GIT binary patch
delta 38261
zcmcG$3s_Xu{{KH~%i!R3W<(fnGJpzlkwH9(X)&ZFlqHrWl<A;WkfxBPSaxPmD?E8l
zgIisA@|&Z1!RjQIHCUY-jS9_dFtxE`h1vyArkG|}>ipho@BL9Yr}}=M|MUEP9`;(V
zwLa^!?(4JG+I#eQN_?J@`Yv|%xa=Pt8)9^2JxZR3$upHa_mbyM;V~Fpe`;Q2w1xsK
z0`>s966^vP2zCI%2(|&b5o`f;Cs+sQL9iOolb{CBi(o0BH$fG^NU#84BB%hE3CaL{
z2uc9q1jT^91mgh_1O<Rdf;@nQU^pO(APW#pFbEJskN}7!hyuhBm;n6<!T|9E3}Dq@
z=tV#R!C62e!AU@p0NFKqv3?gQg`#!<1`%unq!Mfaq!FwGq!X+LWDwK<1`{j=WD-;X
zYy=AcSp*e;Ap~WBY=RQNP=aE>p9sbSt|KS_3?s+`<PZ!83@69}Tu(3vFoGZfFp?k&
za07t}a3et&AeVpv>>6ZW1mqE%1>8h%5-^J37$Ah;2tZHJ44}!7y$3*(A$u2qCPVfP
z08NJMZ2+1K*;@cK8M4;_XfkB42GC^4ehfg9A$uu+CPQ`=ppc5Q05G1Q0w89sn5fxh
zfV&7v022s`0e2IO2i!wY0GLRS2Ph&K4k#wb0*GZo$!8GYK7s_mB!Vcw{RAe!WP&ij
z6aoftXfWg=poHKoK&(q5pCKm!(*$7svK@s-EM&HW<k?4_M$MBMAdjCsP2}+jk5IY}
zN@oI;999D!A*cb&B3KHTO;80WCs+WeAgBO5N>B!vLr?;kOHd4Wj9@%q9zg+MK0zL!
zl3+Ms0YMhvae_gBCkPS%3kjkCPZF2_e<lb6I0Y;(?8?r{hC(N6R-W6GXN~f#P@dzJ
zXO{9b$<=o`AupcI%5$6YtWlm7%5%K(%u=2v<ryLyik$3g<=Ln_Hz>~~%5%E%9IZV2
zE6)(wFiDZevr+MHP@YSa=XB*cT6y-DtEW5>!WJ15<WELNp+7S&!q2o?W}F2`1SbJq
z2#x`0dS@H~(Dcq|2GI1**aM*Hov{l*(>r4afTnlGHULfUj4c3~-WlrvG`%xc1890@
z)BtFDXDkKK^v<XP7^$EO0A%YjDgb2bGRgpC>oQ6J;gqHrK(;PpJb-LnMgf3qT}B?j
zLTQEr$kt_K0m#;63<8j?%SZskQkp0L*}4o9fNWhx7=UbD1_O|-OTP#pTbF(oK(;RZ
zBtWrs=*IM8fc{!O=|=zq2$}%{3HAVz33dU<Jf`meka<ks1|aj8z6C($F?}5%ofNDF
zka<k60g!o2UkV`em|g|2QJMt+GLPvM05Xs1WdJgd=_P=nl%^O!<}rOdfXrih0f5Y7
zdLAH$(hLWXc}&j&ka<iW1R(R6o&Xq0X`%pR9@9+#GLPwD05Xs13_#{F?IM88W7=5&
zna8w~05Xqh#{i?XeA12pZYF33+(NJiFos|kAfI3dpnzZ-;8ubyfZGVx0mc%n2HZ|i
z1Gs}=DPSBy6`+t{0f5Y7S_Od2V_F%2%wt*!U;?En29SA78xJ7!m{tHF^O%+gD55mO
z0c0N2vH)Zr(*^;^Jf<Z8CQ+Iw0GY=$6M)QPS{Q)LV;TdHc}%?sAoG}d7C`1P^&~(s
zkC;EH#{ko{d{U199w2B2JV>wy@DRZ+Kq<ivKpDX{z{3Pv05b^I0myu&t_G0#OsxTs
z`Al63AoH181t9a8x&T1tGqnOh<}<YnK;|>G1VH99wHQF=Gj%+G%x7u=fXruV9)Qee
z>Tm#=&(tgcna|Wg05YGc2>``>Vr!Aoj#`R6MoOFTh-M8#v|=^|Fn~*Ih(Q+tRRm`N
ziwI5v784u;EFm}oc#5DI@HD|5z%vB90M!IL080tB0sca;1@J7vI>0i5)quYe)ByfQ
zuoUndK^4GFumDg)Pytv@PzI0*N&qVeiUBJL#sgLn6aY9u9-x+BIAAqF7U1s$g8<JH
zBmmYBL;?PXzyx@KAPlgUfB`%jq+A57BRC6KPjC|OBEd1h27)7ijRehrO$2)Yn+bLS
z>IilKwh(LsyhN}C@G`+Vz$*l+0skPV0lZ4E6tI<`3Q$k50I-dq0`M9^8Q^t-62NwX
zV!#^&;{k6H6ac&gd4L9j;eZ_kS%9|)1_9nCNC3P;5C!-rfeG*~K^R~s0R#9nNWKWz
zMQ|3do8TniJ%VF^MuH=N_X(N-9}w&Td`Peh&_u8Uu!mq9U@yTIz()k@0Q(4513o6G
z0qiGO3iyPe3g9PL0B9zt030AF1AIzQ0ys!e3^+tE9&nhT0Pq<>9w0z49B_mn3-CF?
zAi%!}5&%aDq5xkIm;hfAgaN)HV1O1423`alBRC5<PH+-%g5Vh7Yl0(yZwQ(J-xBNr
zd`GYg&`PiaaFSpf;NJvW0N)d=1DqmQ4fuhe25_2SDc}r26+o=y;;1)p0pKh_1>i@5
zGQc^462N(aV!%%X;{g{43IIP7<N<`~Q1TfLxJZx%_=R8);8%hKz$Jnxz-0mx;0i$)
zASj?Ks=#oD(~dm@F2c_=sR3sJ62VD87lLDe5P~BBJwY=dlwc2_E5R;+fnWz9j9?p}
z8^IPpcY<|*9t5iaJqc<6y$F^9dJ|Luj06h+CV~opnV<~NhoA%yPEZW!OE4Y~K~MmQ
zB*+6;2!;cq2(kdt1cLxE1POpxf+#>7feFx$APf*szyMYa`d<Vj5S#@h5}X7i36Nb&
zI$!bi-+`z>B)1KaO0WfxMz9W$POut~K~Mu2Ot2J?Nl*o_5i9^?5mW$%5R?J32}%G%
z35o%KA{Y<2j-UWAj35t?LoggLoFEHuJ;5Nr2!aH_NP;N94Fo2@jRawUTmlBLYmjsi
zkVkM9a1+5vz$k)a0GbR*M*uV#l9~ZD8Itw@Xfh=20?=eg+5w=+khBdzlObsffF?uI
zIsi?Eq}2drGRVHAN&2NAngB^vfI=$V0>F5J3c#HNWq`W~N&piGiUD^Mj0fC9Pym=n
zkOwFt7!D{V$O7C;FbHrTK>}bBK@{MA0ux{|K^R~P0RuQRNW2IrAvg<|N^lY|O#pV<
z)}!!<Ew}X`dG?V<n0*lyA0UsPJi@vwQ9j|p@}9U3N@oJZ8l1Qq@CZQ-U>3nrz-)pl
zKsmtzKm|bs;8B7yz#M`Sz+8f2z+(jC0rLn70P_j*0F?y80SgGS0FM(40z5&G09Z&6
z1$dIc1o$&S7{DoDxm&r`b1T<+cy5yoc-AP-3gtOod1fh3T+_+QwH}_$ihrB(tWlm7
z%5%K(%u=2v<ryLyYL#m`JR24N2IaX#c}`cJqm^fW<ryLy)+q9LHY)xN%5#bGoUS}a
zD^FbOt?hKJ7k3eckL+9ASpeC$xRU^~Z*j)}G^OK?0BB0bH3Mi$$L#^ol#bg4peY@<
z13*(cZX1B6blesIP3gFG0GiTqs{v%+;%We7-{O`6XnMz00gPHl#Vr7keT%CAkbR3Q
z1CV`-D*=R4nqmOix47{DvTtz(0J3j!c>oKg84e)(7MBGe`xZ9{K=v&z0T4@Rq5x#y
z;!FUtZ*gG&vTtz=K=v*6B7p2$>{$TWx7d>a#lB%C#vTLo*Yb%y0vJHh3>ZkT2ars#
z3y?yv13)G*b{l|9V(b<GnZ($2fOJZ;8bBs7wgx~ZF?K0{Ok!*mz(#2n0LUc9RshH(
z#+CudB*vBihEkeh0GY(t@c=T3u>}A!iLrTr97;1BKqfIZ3qU3@b`XF}Vr&9nB&CT0
zkV%X+0mvlAh5^VV#xekz#F&c!GKn!~0b~+mP6Egz#vB8T*7Aut0=Su=8E^~19>5ra
zU4VRo9e@IYZGc+|wg7G;SO*wOuo`eXK@H#zf~A0Q1XX}Sf&~CFk1-VhGLJE305Xp;
zC4dQ(rWioxF=jk~%wtRefXrh|9-xTQ3<r>TjL8C!d5jqZAoCcL0GLE+q5xzbV@v=t
zk1=5YGLJC~K;|*}B7n?e^jQFz$LNy)#XMsEL>~i8*Yb%z0(gL+8So&%9>7Bcy8xvG
zI{;+_+W-#}Yyr$5SO*~U8NC`n<}<nmK;|=gDS*spbQOTiXY>L9na}770GZF|G60#+
z=n?>#&*)+Rna}9)05YG^1pqRi(RlzepV7ksWIm&_0AxO+2LZ@@MkfFi^NIa~r5&{t
zy9G;|@Q7v&L$qQx1u%e1Ylx_efGUEsfJFo+0gDNa0hSOP0X#*}40xJg58xSsU4UwW
z9e||-+W>zd*aCQ#U>#r?!D_%?32Fd;BUlP}j-U$QCRhNdA*cW>Cny8R1SNnK1jT@r
z1mgj#2nqn4AP-PWFdVR&APew!f<b`i2@(Kn2%-T0Ltp~DKoAC4OTYjg4J;P{>j=&Q
z))Slryhv~iuz}zRU?V{@U=zU}z-EG7fI5O5fGq^u051`20lZAG4)6-WYQR4TY5=bi
zECp;Or~=dzEC6gHr~tf1PzHFNpaig;pcwE5!Fa%%1O)&uK^~xiU^rk0K^EXGf<b_{
z2@(MB5JUm~NnirJOArRwNx%R;4I(cBb`hKf>?Sw~c#q&1ppoDR;C+H-zy}0-03Q<U
z0yGiq0PG>y2G~om1@IBUI>0`H)qsx)Y5@BQmI6K@r~>#2766(FDgXxv$^f4dlmHGA
z6ax+sj0YShC;)s$kOv453<n$`$O3#$FbME3f&{=(f+)Zj1SY_j1Yv-$2pFJ6gNTcO
zV+3ab#|cgXP7oXed`)l!@C`vT;9G({fbR%)0a^)m08SEY1N@s{3*dW#b%0X@s{ua{
z)BsKsECrk)r~-(UTpaZx768r?Q~-V?C<B}$C;^-&C<gpQFdlG$paAeQK^{Pu4ke%A
zfQtlKfL{m(0e&S&09+!70$e6A0j>~)0fGXS`@%z)7}H{&N_jon_c05*i|KSayY9xR
za@($K{o`)4)y~~TQh116mvpCW-<_?05Mi#XVK>U|-O*CwCHa-z*=&T|vO6X$2?7DT
z?v7n@$a`Z<z3U^aP?+2O^}*#<yRLt`Jn6k`)?0SJcbC4K+l+%lVPmq~yRmC%;$@&!
zVAvA3q+@nnVw*g+F`J!`U5(lL!-&nHd=ux${>JRM*AQ0OCHH*lYoT`5CHF#jeW;GT
z7BS6+v~SDS_v6_Mvi<!eHc6iT{(U{SyN$Xy@n_fdeox+q@ab~f`)Q^YQRfx7npxg;
zQ_!xPHe62sAgOOGbo)UMxpC3?mQiPbzfzw5K{D$pFZ&?L8R9l48jYnook%?#e~>f0
z6=~Ha<o<%{Pb+vkv)uYtSG!T#tBdr{cN8M5A7r|Afvg@fi;NE4Dr0VNaZ0(hk5Q*v
zq_aznQyhi<a!1M{gg;{|&t92Q-V<%n#obNUZHdm+1+u+X7+l@#I%jsa+DOwfp)_3D
z8?yLK6w)nO(QsXpYp%EIwu6`BZ-r48W7kbR1-ZVy!LFE&1sH+ChytvSbSMQ71v_8v
zC=xP|?=A|NjW8keVtTn%6!Jp3!)|x#rkU1<*rQOpzW%umwD`21NYIUxADrZ{b*`aJ
z$pE#>5w&{?wOb*%Bve9z@}4WYxlr&SS5Q;dfL7d*X|pzT)fo>@u@)xo^_kv60ZF&e
z>ojR4$7oX&_ciK_2Z|giHK{hM7z%3Zgg%dM$`^^X?ua@(#bJ~7`g(U%W`ew^VPB(K
zNa)EC@ggG;?$+7S{h`&+RW9xKbx+Xg<WHKctX6Jox-0aJ^+v01Ip1}PMaqsnU0J<c
zx@QWzQEu9k&7PDm?HQq;g@itN<lbTWK27sCeJ0oM9w@)CH%xyg!u`sahI(rd)S|?l
z-W!&6BdE3Jx^kN{c)7^k%^K{30(Hs#C1knTp>s!0ZI@Hat;;1lS}h@axw)k9s-70N
zImsY9J`0zNK8nn+x+9Y;&|`(3>q$@d|JI|2p1$&$k7DlLjr1uZw`)>K7A-d+6^h()
zpwW^I8EB3FW3AR-Aa9dBA4T528Jcr`U$galNTxtzC`M9PXSu8OMG36OAZHaC3;qU;
z_Rf+W%W6FUNsBXh=?7@kb(ZU-5q5oF%<YdsTVZFZPTF=rn*rJm{x90LLQW^j=bQwM
zMSq~tgWha6>3=!~t#8!~u}Pg}JC$)IWZT>k4xJd{7~T<RiP6ws+Br?f5)ZakBT*}q
zzv!RbV(cu~N%@~4*CL91cN$byc9!g@(mETGfzKzmSg@4#gy!nc=WqI|vwSDb(;)8`
zn#UWV+1**PljaGKY}z}y#R|=OXnthx{7v5p`S|}HuDwzDeA&N0=JubUwXU<&Rjop5
zIJ7oE+XS?Lt+U+KatgUj$ki|RN8WxE3L82Lc2a1CU>y{WfI?+7|4#8DAm@R?g7=`%
z{|5@YLa-JJ6QNKU%)hNL{<3`OlbC{+psn@ywZ)%?wrXe#gSNuXavkd%|F!J!$2e=C
zt-Z5U$I8YZg0{-fr)>Jl8T|E(=<&|7oiy%+Y`ID4uM2(MW-AR;v~K)-u(5Mmk&jbZ
z!-T-wNL;#i%BJs-(IGJagz&W$=xRoo|MB&Zb%>0*=XT0S#NCgK{$TZrUx&0s$m1O}
zPktZg?`OgxSok}cVA@%guD@2mtF0yqA!c1ZG7+=xKMJE(MA%&{-ukPi35lLSBKz-T
zn1T%RJGV%u3}?#r1KBrBfmG4&Xy}2s(oPz}Jx$kE_4q=${y?_=E=X0&tp_p_Zh_D9
z+q(LlKwN{I^JykaluJKNW-YS&(@5;o>OOrotkvDu;j`=dt&>L{jPLsmR>F4lW{flV
zOK=z}4fnEKelSgcNbKii&%wxqMer$g!{$S?ZddCjLDL6v;NX<7kHkh2srShCLz(&<
zgs+w79!ko%RqO#py{_8Eh!bS3U>p1W4J8Pe;y!)=Y3t<1LrFKZBeV*k{u*pa)pfLA
z7N&vHI=`dkF~~RBbyFtF{SS}PV{qffru=X+yGO1)9B*0+c6ZyWJLI3g>1Rll%1wuJ
z^&Yz}?gzQ;hh$S<q;60*B>mDM8<35GNOnYad}op8e%2=}8o65_y-#+3maXqj68Z-0
z0SxlKQ}I2+p}`G_i$YSQ)^9?b1!YL;S&i`T&?BOJUF1oDB>mv!=BZYBN#HiNQ1*l8
zKsH6$5%f6HyXPD3$V9YX9Co(4IH4=Sfp}%%xmtTjT-#s7ZIB&D61!D0WUe#L{<TV8
zb|fvdP}%&-&4E6$|48?!25h=IPI_jX9UOz2_+;OaNWC3Czij+`1Y0AI{X8uzfW04E
zZ(i4q4XV+uo9}XW-SjhBF!Ar$u)Z15qVo=Jv%VSX6Rpx!%v9O<S+e}e=LS8-rP6*8
zQtUaU0ek!_rtcF-9$XaSvS6<p<u7vN+jaAf$Rq#tJu}KFN9V`&#?;c`Q1Gq0>*lYP
z8?DEL0k`WW%|j)_&;$|DYzf++(5~y&UF_%44lUTbWBeGtmros?ZMwg)e44MXPQs=*
z7iWZw1bOBc$vsOughb1pFOtWj&%>TYyGF0V$w|bbe%O3xxJ8&V*uGZG1rx&IU*it-
z8N>|33C4>4qvaC0#@3^jEs&AL_>ptJ?4d71`2up`my!Bp_}b)|UtZTQ2|Lu>pv$9U
zRiCsN+zzXb4kUJ+rKjxsvY(WcBDZ`Q&r+9v71{U2dK_h3>#aI-zAjW$)2^GiMo#}K
zrY{%mA!4L_U6>kk-&%PRVwMVWFSqIv#|3}ghEs)ISJYo#_SJ{%2YEtEws?EjlFWXQ
z>syl8cKIMe?6Tol61z@LKQ@eQm8ZkMORhea)OYX7R-NI0PVBThgTZBL9vPEl-?7DP
zpgj6`E*m8;!Sf@z@%U}*vTQt&#Ky@(Pka?M@&yc#MSXn8Ijy*ZKTl5odcV~5lI;0r
zn4JAhc<~H>ksa-NWs^{jv7}Y8$LnflJ+@V~iuLEp3xcH|b1%Jyv4+EvUxdT;h;WSB
zUxbT-7K%k0;k%H-ZFx6o+Mg7$9kl;NuwB=qTGRfR;11eXYTD<^>E9-W)v6VVzFRK(
zb_~mtJ>TBO2Fs_ujn~(q*Ry5gcQHNF-I3UcC}m3@Cg*&YtPh~aEn@!i9v4}+K2tq*
zU39cN(%K{>?YgLsM#yJ>h>`2Ri`N@4kbKHiZ~d-UXw((uq~Q7?A~fn{#Q2q%^w!=z
ze{e^<XmLlhAls-H<os5#h?lp<{Hgugw2wNBWuy|@ai16+otD^6$B(FevadC{U^lb{
zApJ_sjX2Pv5w0yJSB*D@c2onjIy%K8U58xjW!uS^td8Z_gcOB;km3cz=gX+%z^L0$
z$(GKdFIqY%e-5H{G2s)VMnbgnl8*-MAnKCaPNwxNRhR9k#gJ~5Q~sUYbF3CJ4<WeC
z`1dgVL`+tL5+}@wsN=l|!S^+2_MYev+-kJ`d#zaI6GYF=lHK3Ov%Yfu_wj@3qLhX@
ze_d@KD{cd<y47hmEAAq6wOw=!3ze?6Pr}?TSR>^gr_vZ!&_G0}Wt}n{+^3S|Cr<Uy
zW0?qU!ZML&@~OF7nvqc(Lb=>@Dl<xCX;B8{UR_~5h85IW?Yc)jvhjy({kvj#%B~ZU
z@{}J&NU%0a4*AgFl0^<*{h;P>J8~GN7g}$W(@#Ico|Ctq&ebo&9w%RJKRt$F19B#Y
zEt4mmnG!a4_q-N2Mna_AcxJGKk$e8kZOrz%y=`-sKlS&InHp$7DTHg+&H8D%vY^iH
zCs>qD3qK<&ulY~OvFDT6ud*G_f5_9%C&ww<rY!0Eh2m6?GVuC{gnpa4+WXjbvlHaH
z^CJ>UVUENGT)Eg0y^58;dAV|2u86@PsFp*1%4BYN=uaaCO+|Y)`G##iWKufgLd1c{
z&Dfq?Tab}Mv9Nt|?N4d?+u<|HP4MNxm%{54Sw!lu*F#4+r59;2fupp88bkUakS$Ez
z?;0jgx)7ru1ge&cF2w7x@Z-?G@IsR5w&l`P)HpG)!kC~#%S6ld7cvKhBEAia(x#5O
z2k3Mm*L44ai?gI0+3<6`{yco;a{A9nQ66k}PA2Kx85m3nqAgdZ)_1k*%I}p+f6it;
zdCku=^zT4AAopk=rxyqFR@u=$o8eZyJv*!%sTZy?>P$-Q%)dN_@!(d=rZd@fk1UXf
zUQ9MUgwVRg3-5kfk3K|-?effvnQWrG=He)M@#Q`Pe?bFTH4AqkQZz~*oiw^b!G|L(
zMYjBs%kt%-Uq)m_L18{B`}l5j0J?I7u$owF_2Oy^e6!#;LtSDB-vG{*8-E!l?pS`w
zW*21JubKL9p|Mb&{%f*nfVcuXFlEDsEC1Aj=A3=Eyyn*={eHw(%8l?fVQ^H-r;x^r
zFt=>IG-CiRixP~m&ZE(J(JQZWh;-p@z0ZI$)#ElQ3RPbv*I&YSR7lex2jFwU7g&Bd
zUXS%4K_~aWoUES#pHD8l9D}Q%nU~Y_Mc^iR&E?m7rNY<Z+GLMS$=5}g<h+ZKVtHtH
z1~10T3$NS}k%+;3v6~pk{?W$+EB|Cg31;?^Tdt&K<j}5YeW=fbox#uU@Dg7aon&vf
zPPP1Eof->Cr$_}2d9UXL<5@x-#!g`ujA`6&MRvT)LUOT&6s@deNqP=n<w_5`t0zoJ
zv}yM|tHBvO^T{g4BH3=Qg|V~{c7l)Avk`jSw<Z>Om+0B@E|TNC*Am92=-CEuWiR$z
z7k1KXFtdMkVKE$hlXqYQyIo?_y>l(>xzMmD-p+OCe1mmy+?B(UcxF5cX9;|CJlo9N
z{8T*4HhC~%BezSqL&d)9t;nf$+-7BOi&*P#$0o36_2W>W0QV)Z7(MoyiEX?^cylqD
z4XYAaGV_V?8>t_R04pCYLi}n-971w<b%zj~kCF=czC@O*{}tX+ZcKvr-|)Klgd{dQ
z?&F%%NwuPoVpSnKfq}7Nxp`^>$Mz>Os_8ePUqW;fH}+@QdLNY4^Zfp7jQ;QN`uK|e
zY&QGV8!~|1)jci^t6~^d&FL8AVZsDp{)y{qY#$#u>YZz2!z8wjzcPenvlZT!AuL|c
zTHefIPNtuXlC|<B!`Wi?8aG^zTJGSs>)GO{sWq*-SeM6c8B(eXZJ%Pb?7r7(aR&cA
z$-D1*HiNMSo->jqv48PNBax_(J8opj{N<5sY?K9~T33%kT$`;yEEm=kZoGjFV{h{O
z8`#T8QC`I&dG8S{iub>fjbLssR6NL}5}mgxm-UfYEkBya(pZ2SZeq6~zX><7XOQgZ
zO~|iKwtf-LEu&Z_^YHvp5Ub~NN1;Xh{OeJSBkjV`i1YDRMzc|@iMNer@encI%*L=*
zZ_&-n%%lVZpLq+L!rJ)0TiCr)f`zAyVQ=fP5iB~)TgPDJoWfi-`^Px)(WF+puJ~=9
zp3jmJN}a)Pw~T-Vc`LG{-!=?Rx^&*&RTpj7-J8kF^HJhz{!Tu7k=1cW0lSNR!nYSN
zS+5-7_}E)9`ukw|Ht_meQTX2c=&dMjA@6Y;o5+6P({E#$`Xd;XE?#>ZOCD6`41V+R
z`mT19NwqRc6L+=}-@FfTA8)-4eT-p!6AS0Iv8*d==Q(2$RLEzJWznIDn4jM~&zFs5
zF>DX78;e$1!JEdi)KIZ}eB<KnW6@r9eB|xyVJXSN>uyIMAK?3LXTzd$oWa&&u^GTf
zwTQPRcAf5F44*=7+{QL=-yNvPFn;O|RJN4c$FZHPd{rU3%*Cq<Q7boZDP+0mF6(%7
zLOm}X4{G3b!fE2I!fD|tcd}F|NyjJLiDCr2wRfVgSu6M5h1m906IiAx>a_?*o5&rz
z@gHkWTMgVk0g*oLn!tuBu`ODxAF&qRqy%H$1;h>qiQZL*;@v1j4llY}3?}Zn8w=K9
zUMm9gc?$ydBas^YaSv)!&K>u#`4}gGd)O*5Y|1C1vs~OW5ruT~uO}i^3r{a%PoQ>n
zMJP=JZ!JQV{oG!Rwr}Bci;>NJd`&TCP8&De3#ILR(!K0aDM82m_abtxxBXuBfift4
zlh~ce#T$M<dzXdY(-XtQ;tfn@_c0WBsDpi_Ux1)OZYg1l_4mP>;`NjuH&*FwpNb_+
zzXM^_+)|1Z@qBJ6dwx(4^qMZ%oNCqFe9fJ%xfacx%X7-u4E^0Tr!g|?%Gf~3;phG`
zRQ?dpe;BRecLu*q;B$qy#jd++C-*$eBE#Cm(F}MK_dN_-a1kRBhg}_(i!aA;>kKw7
z<2ZsWSny7W0gTzyV|mxj=aAxFh{Yc4y7}jZt_XwWMA+SY%?ymooB2C4*pviV*u)%h
zL=_{?8T{gM&5c%Q(8a-y>mWUVkDST2vS<0JnJ`F2kXXROA7LY+9!A3QZ8x^)C^6K-
z&=s!crH^2wy7`Jn(C(}GJCCp!)04|XePRAFC8aBe39W@=c`JnU!=a;|TV}EQ#Ii7M
z2(O&Q9uNJ3A=uB`XJK|1@intC3XHsEHj6i%6T3wJEhVL5;Xs1j+*r;s2fd0FJEw8V
z=FN-nc1pYy60gFL%b)!Al2WPBrQbbe^E1xi(Vuu}Iab0#ZhaJ%=Q*UR<i2vO{#D4Z
zjklMpH9R_xTPs+0R`rGu7jtd&g%8cweb<P)Lv3}4K5)NFCl=vr3-Hm&U?X2r!Cvf(
zvqYyTn=&CrKFXfSz*tK%h#eUUw3${lY+f+c$I1RN38m79b}H;$yzNm8g96bnqLf%~
z=CIx@m)qyChx7+A1{?S*b1-!7<o)MjIkfWfxtI)n_=dUI4m^#V9Q^CKY)s!djq^9p
zMuzhb-0v{>N3Scz3*Z;I{V^8P7rVry1_WC~@bYeAkABC)y!<gV$=!%*;&qR)<N>(G
zOKSDs@34v?aqxaeN+VLNNOT!i4)N%g7+gqI=;h}hW25w_Yf?KOIgiC8ynyup8#eJm
zRo!4}ttB~w|4KmVeY|oWR<Hb3^VuipX8(N5YZo_G3S;aHe*Oy2uVllr0`71JwX@k7
z{AnK=(_@@{<!_=DJH}z~e=g#9Jv3m+`MMIVGy{uFfEO;naBt`33t)_LxPJlGqC(!f
zfaUfbdSHsfh(E*1p$?rNe)PjX_{hiEjIbgx!R)%R{dxW4EZKC!Ymo`n=%H#%E^K#i
z@4;IUobZcS9)`hGy%}+=pO_3CUT0#i-R|VJC$MzX@#-hol(<Gn7x{0oV+M@9fFW!Y
ze#|ut<+1PckcBLBz&4D;I?-yv2#A3MG0U}ac4Q0UeY|KP>KNe57Q)P6Az6s2gk5h!
zB@Zmb-opiNEx)voJwA9{pt0QEMbV|K&gaETIT)Iw^E(<EXYhQrVrYERr9xh}jrDl*
z&+J!*h4qq?CHE{+SN8Kb?<BNyn+rh}HRzmJii{#?V6SP);oBKJcM4(FRaFQo*{+Fw
zg`gBQ=xZ(L0D^1?N***+3lRo32ls8`v@Zst)h`C7Zh+2rYfdNHd0`bgvQBJlKGf$s
zgMmywauG&NoiLDg{>~!UQU^CK!mPm|>9b#XkHt!?VyqpDS!ll`3obqmb=F^k<M6oz
z=&$xJSuBhI4CxYv4<{_b4khvUr<f5fVS5TIM;o8{6q_Xs_tB?de@nb;o)$Z)qrASF
z&0#xv|D~9Zb$rcI=7p)6@E10YP2(H>!iMSVox#JQyyY)gN?W=6S=LXQX7tuS3uN25
z<FD+F&?IaS4vpvA{|e*P$_;<Rs#nCv{*7_H9(`8ITmQyh7JHVYdS3e+dp={&YoX5I
z4lJkcP&;-V2fxJY`Pki)@a_V$RD2Y1u*hLpA?<9l>u!zZ4mTUob1ObUFlyrO^Ex*+
zLDkBHJ?h4a{UbNju(bnT5VsE9_S?IP5u#d|gC4Qnq;(#7t>pV^SbW$naSj76=jUtK
zdr>jkc<peuK8Oo*tA+cQvyX75SR<pAx_gZ)*ozXI>fOGIon!hh8?94e@~g1G`D$5L
z{b8JCLsV`NydO6WI)&d{&ANo5heOt)D=N8tE$mAzFBMJ$cMB)L8-&xwTh_w1Vkcqn
z2=_d<c@T`X!NVf6#L{V1r`Y+4qR7{#*A=la_3xuhzhA`bHN4GF@^Fs_&12*HJg{Uv
z{wua!#M*iPb=Z6t@k#423QM_5I4-_n9n8~9yUSg=#i>@~Yv`37HV0Nk7gqfA4S1>C
zZ9BqDI=f&GzqAgAE~Hw|(!y4)h%BkK>uw&&1M694f@k-X1eXXx_jbdD$(h5jn08(M
zB0i+83&c`*%8M-1Sx>!$I$%dK^A**d5m4Pn4r<}TLHw*Gnp>;7Weuu3)2i_$jeV*+
zOLJ#0>l{A2P35Vi;NcZ&0P+84SIdynKb*sJHn4{<SUelBj=#wpHn8}<NBon;=H-*m
z{FAMQw#il_{0I3d5w#UVI7&<h-2472F1PHu(Jyi9Mnt_Nni9d{KC7EARfpyry^&AY
zh+VL<N<o<st8*NJKjSMlvJn~OT8c|=;aeUtClIv&8N{ssW2KH077<||A}p4B?q-=h
zZ4;Icw-~>6zHk$cgg$<06FW1g=k9^lSpPho&L3)x6`uy7$OdsQf?w^V_;Jv8!$nvZ
z9$tq7R}+7w4n{tOx7V?ILleczfIeb<!XmW=M!@e~wgpmbkhlNKSb|tT@0wSzS-`qw
ze+$dCU0q^Z|AOI-$?*?tr~^FZRkY(e?tT@M@*^Iy6_e^QZr_UK$H7-@g%&^WQI7>N
z;4Q6ZpRug6mDjiB!u(Zwa0tc-e8#TJTZ;zKwTD{!qrxUMK+Kk0TxaE4<1r#Pddpv9
zT^O6f=e~~VpU&;uq4XGU*p8`T<43n+F}L$e+p*9Ua{C*YJq}*^1_IZ6Yu{jN85YtU
zuToN%mnB8j!-^>@3{6*j3I|J<*udZMB5f-_@5RE89SwGJ)&_Q$-X&UBO!<gz-@b|9
zYSF3+o4>`55uXcvsFM)}qo2E*`x@A3Nn9E3Km*u$$Xjf7RG~NniDeL9QklgVf^<Hl
z$MI!vu{+JV-IklDIq-_du-zdp+4f?~_7?jW8f@R&>_aK8u5HTHCTH-&9I>K`mlk5V
z6b*)wSM&OJvD^F#8hkwPF59gC5-YKvFWJean11mkPi=7q_w@89PxU*4yEs3;lg-v|
zghU%J^<jIr66;nDuk&GV5xZ&^i;%F$T6V$Qe9lXEp&4w;%?=x1u?r2J&wK2~$;rp7
zcVi7K;`O_+cfc`zH=72sj+AP7%X{oYEU0yjSdU@7-d7s^>-V)rkL|cd+I81|2d?GT
z57>()G%MaZmg+Lqi8b;De((eKEC#FNLtLbkUv2Qv<0sMJF5dJZ8y6Rbu@ZyPjR|{Y
zpJ-iLvh2DM-|(SL=*-RDnN6%aixVACt#rU{U7RwBKg0)n^Q<`#{VQLwhmF(Qoxu-Q
z^42}5TMIYt#iq6miSAPp{hWJBB!ci%uYE6@)&;|E!^dbd47-mp2=lphKSrN}Pv4JB
z%lVr9xZx<`Jw8DkEdD3#XT5!ed0j0}_rp|r?7AC<aEBi!=ofW-nV%&}(=fjLEGeuG
zy^6EX4So1gKX!%HuFVczs9iT`MDB&CNYrqZxkblQ+pMc3U)(D52_5g>jMPawo-bTz
znc0kO?{Vbi;~SdM?$u(ji}w!Vor8GafbH#3yl*JvEzMZ=+`PS6Y$0^qazIry@&Jy^
z0Y38pi;1enjytwPVhM>)BC(r$5RJ)(uSWav&kwLTSju*xAW_F-KNYT#+dpNuNQqWn
z{VA@jcJdwvSxjhye?Cr-+;osdux;FP2ufb!j)OSKKKGi@DskgM78zRIL8wX<dYoGi
zVH}h~sEaC8(n086MW`=!{+oZ^Jj7-dmJmb3=nTI1Jog_$eQc`^W6jItV-Lf^_UDzL
z0Vaq<X|F>=#dW;cAlr4rz7XNQ!4AyB_wM$#9!BYz-8(bDz87xM=UC)e9^dybgkRx>
zM=?tC`O%|T^L*U$1#&6p)4yO7^)5`ewO-#B>^Vt)-3s%1H=odg>EP#US}?8hcX!=z
zhI?AD$)19{Lk~ZNP~5eIAH$sT@%&>bbUv>Xj-S^Fr-cWEgG-6y?0V5*qmQ#8(liUN
zRNNH)%5m&bbNDIY6!P>FP~_l_6PU`ay#55TF6ZqhP)r*i`ZW|)^XbB=^{)6D69id%
zzF}vOi~C!M+IZkwlqYA^ckC->^R|44QH{xHIf>P@&f9PjSwN=!-%wY?hknmS^(=Zm
z+hN2DdfBeKu8c4F9tVlZsC6md{ylpRYxU?;C{HD?JcW~5^_xG4TaXrBbXsW<&uOK8
z{?jZuO!-U+V>WKp8H`JZkz3C|CZCs{QPv#y8C*RlUu3;|eU2lrHAS73Lv+0940PCe
z`x!Rh)Z|Ov6a(v*;7{Jv+Z{QriM!g+F%G`34FxafJ<h^jt><&kVo2p+eaq**vus2d
zt|S7#0<kar5wp|}Z#mET5p{I&xj(YkhgW0AX2spwTNoj6wAP5_7>p~Fi(Q2w|BZ0Q
zNB@K+`ZKYVaO*`D5%C$`2v|KrR4iXmfh8;u<h4Jsw78}>@dDo&JR)64-u&75<jp5g
zlQe(w=6@+QX@Mqoo`+mO2^~oEAkVpg<8nE?6SxbZxL~Qjz)pnO`SmSAYfrxBXWX~>
zaBNs2-Yy`+a2$V!@vjj)pdG=FCZSv=oeq2dp9ZYQDOuZ?;?1zwwoYy5_I4PC!_#?D
zJG<`T!}qxHE?0af4EZpT?my+ly}9@jd^zq|-WXgDxx)p}W$7f>;e9aT^AK-Dw?}Ni
zO$m-KXWikR7G4-Fg>zq_6vB;oB_4V>TYTm!S};=If(G<+cZih4r(9&+A3Pin3sR08
zP>b*OxkJP)`+2`;aV=ME6MpS2HF7n>XtpEQaD3z}a@~#BEp?sc@gWXsBWeQqQ0~8o
zd%M?>cYwEDM4$fTj+p8fhk{6+`3vje{N5emDe9yl{J2kO*o0q_s9FvkN3H>sZk6bY
zPO=@|xT7=y$oV0+tR}rJ^bh3rL#|1UcWP&iPK|r$0|=o1&p(a~L;gU~JCJMW6yI6T
zcEs1CU=NDU=_H44QJN`IX{SSY9Wt#B8BRuqI=GW~;jb+Ejzi+Zv)@jrro-2G(>##B
z4e40t3_AAPp}#_|R@mqW=b`Jd6V2}|+p*6M;hWcKZqb6vQF)AwRE!Obk@JIpZ*07U
z|FS{rso6+djS46H?zrf#7W@GSx|D&LXGR@cJCz3`<k}cIbPq%;JI8y9I>g_>>o2i^
zp*<kyXyZqPzi&GH?c8vg4Gt~Ap3gLekGzb7eqU@GOAOq7nGNY@x&eM)tubldD*Rw_
zg)s@&LJ4hRVZt}<I^J@bjfgxdaJ$(Wf=Ow6<GOkqnn7RH%CA4iVh5l51hFyLksHuZ
zxDYt^kzm(ftVXF+mw~XMg8zgGg}68Pl5;Gz*SVKO*rMgi$3}7dopUUvAY9on?Q@wC
zg+(#g<O#{uK5M@ahkEEdJ*>f&Idxk_oojJrCE8lNg?@f$i@3syLOqQ5vZ;kz&a-~0
z=bm2P%@JJQ)f!SKiUvQjuM*iJ%pjJ3E$n&jIM43rb`H0Xjv)3aZ}W!pFp%de`Kj~l
zI`co>F!3`{4V`MF2IFni6=ehGxq_E^*YC)*8gU0=bZypI&}2oB?1r3%a{m>UJ3ve^
zoo`N^H!x<?UC-a>(XHybX$pAjimsa`;uj@%IfFk(^PxeQs$2L%;SA-CLA<P)X2kGW
z$j=9{Ry=@RS^t%>(wwjy>~xdXn@j8~YbCF^3U7FbPhiqwVRwZy+dD~;CQ5x1&|Zb&
z#Dy_s6dx5ig9kq5%Zj8#>C?tlpR$;+HZ}Cqw?Wa}5|vM=oWW0DQ&CIv=@uSaEG341
z>JeX7@%khw*;J{iwQ34R^9H?iAFJ?&he|N+3El}^rQRW|m{0GH0_E`5?$R`N!aKHy
z6l82IAKObB#%lNyIHtwh@mfIKW{TFe>r$P3UoUBf{vVh~jF%Tn(V_m&PyrjC)LR;+
z$E9{6E}nWzQ}o*rnxmYfLYsfW@?FX;Mk!m5Yd>o~FEm2<3xwMFGNUBULZv3@8OG-E
zHna3PE8rXYNQ=XayXS8lmVxa8w}ngb36;Ri?V+xSE*PiVBRu$xjr!vbgeN<Lum78u
zhfB}0(fksmv7w3WE1h9my*(l%Cu3XrvPkK+o<3)AzabN*2xsQA{Od?5GYn@AYa#Fi
zkF`k2Y(F1uk#fa1IiF1A)fOp9KNEx2#_QpY!+P;a3BAULZ4n<h!ghRI>5e#2&D)UP
zv;$4x7l`18hr#@)hHhk(6sdm+ajm>4N_xoTQ&*vnvD%4G(Lb5T{ZUeUPkh+oXb}?t
zsfY4QQBtOUu29Hr(Nc`~)Wqr#`Z9Y?5vuUTMt2CuanArLBJ|^%5nambqEU-9?vF-m
z<0mNAN^XcjHSv9{6@&4U0&b6yl6%g=ct!e8`ne-oQuy2$Y0M49E6kp1yKZ36-F2gL
z748~Vz!e*f<y|*oV(wprtRi=hb98Ze9D00!I1sK?BuCsO?v9n>v;Mw3qQ#xMS7#Ao
zP=&8G|3ekxAzmg_A^uCAA1kHBO+pJdX_~FjJixWl${>R8E%zT*HP40ST6{=i5m89#
z`wh*t5Fe#!#`}C|)?bJA^l)RGG(!K1XaH|vob(C9meU$94a;!g<%;dK2yBFu7T-T#
zT+Seq5b?DN?e)Zcg)_MCCB7scT6&}1>v?0mG^+1;G2z_zCbiZK!F`M}fnPnt+up#-
z{d%kPvV_-ulai!iVxpJmI?u?D@XiEL`mQKb1OGY+1MUK5LzBAaxvjs{LyuvZ)W9e8
zhtyvorA?)M`<1DbK1mwLKkqN~)Z;oF^XZfj6US^jPZ=ORr@sTCKK{-CX|Z_KZEf|A
z9w@!d#OFeIi5Ze2%?S~E#-^6xxfk%dq-i<oAH~ZHq4d>sDNK*g&oJbaLDlqUq<5%s
zR}g3Vrx<wM_WRxwrU17Y8+fcuiZ!e<ABV<|+<at)G%91Q*jeHi44cIsp$`Ocp?-D8
zdCeX+twhu0Xgk3SsrT*A;*-b#(#iizI`Q#$N@u;+KnJ}G5O0+o7a~HN2BQ2eYWXJ*
zM%^AjD_O)ci5Cw>^}?&E2r`x2Gg!JU%FtL|;?kqUON<`fQz`XU@uR&Z#&sz?BonQP
zuTHGE4#74*bgv2i6keApCG{;`ZnWY9=*>>MZor-O%1ViMAT60vnrR+JU>%Jm+}2>3
zv0-`g^N}_wInMQ4*}=fQi0m7^E}Jx_N2u~{Px*CPl=S`_-Z~P)P~242dsA+Z#xZ?A
z^s3Ff@J1<K5;r~x`P^fdriJ+uln#3D9o{2PiWi57_a5T5Jgn)M_wQ{;6Th$vPY}U(
z^U6HTl~qcwE4%KG@-PDNuE^SsuRkzR(3kI_O~p0SmBkn=aiZ<JQlEw&Z`azs3*=^V
z`%O}I!Blr&(Un(bqALwT96yOshrl)Q-ViSmAK!F}M><WNh%e;t+$4?3pd9dC@Vya8
zQYVt&=LV|EYe__WHn)wEVw{u&3-o(~kfc^5xjGQ9B@ywMqf@akT}h+TUX{C6S|Nu|
zho)BlfgXIOKGl_sd<Nz6y`v<Pm~t3?Eu*jki;t2l&S2x$+%g(w1-~$XS+NVR*v3}#
z($VMywDj&HymqvdY3fk^-Fu<8l-q8WBKeuoQn>zIsKqBaH=|?ok)o8R-;CvcGft5f
z?k>Q=>XqB1?tMjR3lY5rJ&W17`wnHED_XYR3@v!ghk34y=G`MOatvw?zuqia?tdI{
z7$}#Q{MS^BxZ2%lk=^CUBgY-yLhna#{@jh@+SQ|g+CeDSwduKg8ZW;^>eNBIi=ie(
z7<SxBg_B`lj~Db%7b-rK>(t-Z)QR|8k=BZ$PC)fyJIQH9g&FP(dn;sfA#3TX<iop-
zkxUubkR&LBDU1e_rhEj1kO;?$-I+*aM9*1x{umh7F1&mUdMykoD|szKgjK+@&?rJ-
zLE~@dr^ZMzJ=@WQme*iPa9i{$56_pfi+_M1dg8M3iT=tVR^4(`4dcowdd7qt!?4|f
z47Db5fA3%56rskhi`g$08Pzs#R&BGIe!SO{FU2sis_%ME9P^<M)^nGg?<<f-^nFrv
zH1;bA>REVK23oXM?d<GZC5wKh=xknis}wn)!>HRe6+^Ve9p15TcZpRGx1Kjk(R|ab
zQeS<cJK{wP_aW)EFVB(jEl7&h!q+Zx5`A)YLP7l6P}nsRA6rQ=c^z{df~39<zmmk9
z@g1XH`W-a`c<F7JJ=lMuA7<Vr;j$HlP`gFByslruLbzkB^jT<zFkISlx@#gYx*f~u
z-%)?;TW^;>(I+A&k9X!B(sN2{?hJ}?AbQ6c+*!|i6vEJ=UORu_`Gx51T1exyWFdBB
z*anLUb7gPMb@kS(w;R1PK2mMrm3M2d^ZbD=+_?*jfL%>z91mOQRc+xF9K+NF^lH^R
z-6ZV%2h!O(wJ>bxwHDsF5%Kux5NzSjJC(jeX_NWZ@sc5|MqQD1J<fgOrTDOTG<-gq
zt(;q@N&}_c_i^K$sAGvT&K0|G-<_}vu%KiEcNN2*!mA->Qfwf80`a_R2cz=%J9nZ>
zc0y^rc!4mHf0iZn@!oTnw1csQ+;}%^*Q?xdx0K1wdfj(R@m<)bt2!Ke-rWnjcI<g~
zmx|i4=iLTz>`5|h6`L^e;S)Y(`WgG#CwO5oCW4jEEXLZ1Z&DI)kyI=VOTZ>7u^va(
zKBD{2OX}^Sc=zMl<PkroS;bq6rDaas&xvn?LVStV9Q;27!QGEq^Ebh`FES?T8WXMV
z0lC3TNjM1YPP8ubAgmtepxsj(_N9Y8-CyYCio$ycFn;c$b3}YuKg!bx{}P?Y(&%37
zS!C2nPo;Q_PuV<1m&fD6C&XR%;>YZoyye^aQF#!ux<uepDGo&tg|R)&>@i<jTWm|S
zth&Yod(2{6c_#KIA;=`8sl3Jb7o96)Z+VMl5wkNMa-US_Y!yW?+NIs|9YrXf4WBw;
z6C1=2Y#hc#daKp%8RfxyWow<@+TXvi3tk&LY)Tqct^{%x$fb0UOaBeIiIB5G&elP0
zDCDeAsI)<B8`@xZS4aBxP!Dr$a<R~H!57~QZQ<wclZNWQ#`uHjnj~e1iA4@$@5(sd
z)?Z3BPg8!i;S9dB4<dGi+r1kmNqv|zfWzL;*peGoq2X~Z#j<=Q8q+h*wb`np-##G>
z3+2Y3Dwog&uNrj-GYUDl;=OA$#o<;0EptV@Zi;hla_AECb$D^U@ifBz*-6KZ4(Ld{
z92A0@z#GHGQlb<lK|*0*4=?}BizZ7WdfwrVEW!5Y@<Du^8t{51OI=u4H#PsuZvM&?
zX<XRCUzFF;mmlXL4k<ZmGQIz6SA%DYp#=>O^U)40FJsl{chMOCe3!eBB5Vs@7_~Wr
zp8dQY663Szt0J+`i*K-<!M8V}7+91pr(zMoS2GvF#b;y)#|B+A_vP!vZ1B%>*x*lq
z{V^b}R*TEzwi2v%t1)qW>S5sRThL1$vD{$+DUl5Nrx2$d6y6?!IOU*_%!7!Fs!-R%
zOW&Z@SUlgJq!#6$_lVUcS)aGce9WPqcV<t;sxkq|i?|C>tX<ub{8OA>Q+VT4+=#5#
z@z$wQ5?(0vm?r&Qnrh^A)1*{ss?~dN8kVYVi7Dy<?5#(6$b-1*uye<Q7*&%*^_;=A
z_wqFlN}~pBRPn8i>YD|V^7}H^`rM%SIh}Yp2~oV%eF(Q9R$ls$B(q9>=^<qMqt{w0
zMRs9kZ_W(qHnaNGy0`jC>ARl#gQA|^xz9@T<Jq_T)Ju|hOO*4nl!iA8(_h9S*OPC5
zSsDZLbLnNM>dCFINQ?SSQ+}+6Pr7=D9{@Uob-2IPMIFGbaR#@n<Gxp<ha;vLT<dZB
zhMzPF87;1g+y5cSeXF%7<@*~gY9ep_hjeemG|O+qjo?MEO851x{f(%2-t?;Uf>if2
zFWoA6@j<e+UV7+i29cu8)C}rg;%n+9Ic$%AifGkkuk)O3Qc$r6h2D{`NuNqRv5`nh
zp`S2v`-74NZTc*Jo|9DW9r=bdB808+R_>6V4a1wJkoTmQyRdt_^&eotX1$-;_o0Np
zF8B+<pB{gq-hCf-9aYJ4YO0EPncdKf+2QLQq6<Nplz+j%#6l4{JP(l$5gDm7c8DzJ
z^?8Pe&=YX(>uK%~Q_Ed986M)^QHDu9!#jjG33XdW8G7+&Mk6YsLsYwnS}@wslizc*
z;r^ac*P@D2L{!1eNR@nx;ojai>XJG{7KzBHTTsGs_<ARHE@4g8q>x~s2-ioq7=lil
zNEh^b42l~l&e7PSv0deL>X$Wv;zEr}wRnfdqctwqSpD`mP+Y09r%j7@X}n$KTZ^l;
zfLb-6s9tr8U26FH=^ATt>qlzrR^!(lRk^5+H{=_}I2+X9@0Mup*Q(p9G<ne9YFGJW
zq2_AgC-H@vXor(7&23TLf2-N~+tvE}+qHB*pV#8|sqXhi)pdS9R|{xT-BVfyr?l{2
zQ?&4dn%k<nKZI!R3eD9NpVq=pr>o(oH9e=b_Bg#p3vW?er~izW;EYX;I5R<WU7D*U
zIP;FiM>Y47>b8y5+&azmX|7h#vsz8hYWmL>s_|#bh3gFZ&$_jMdd>A~uBPBeb!hp2
zEL6jPT%x&J*Zru;|ES5I6Vd3Jb6UD{IT|}O*QL20xK1JH(*nL$-Sa&(cc|u0(p)X$
ziw9M{sMYwQTVt)|E|#j?x<++>(&F2-E^3{r$)g1aijtmhQUlJP(h_JT|EWl0KYrg~
zh%eZ#;)OQV{W)E8wF<Us$xj;8@L#p^|Ej6Etd;+lR<B{Kp{qfg%gqmMP~>SYH&3rs
zd6rRen@d&wfms$!&ZdUXRrOs>H+Qa<u3U>(^9{_Z)Oe&8?^4-Wp*B=tR<#;X@rowk
zR^4JPqe`_xS2LP7R+DR0)6HL@v6k^X(xYWOZ-N%@Qsw8>Dz5Wt#`CnA%&OA_e2N>G
zU8=b*#cj^f<Yxaz0iXO@mD5(k<|ogqT<%cQJ?T?<mR7)p4TAB0oSNpz|7e<pGt~s;
zY5|&`#8AOV2~-FNA3Q$QuDAhep{FOQTwze-m2yIUR-wi=HGY;$;|*{z_5)O+C0dPU
zwQ2$j6*oXF@>GAp^e@=F#4h|OkVSQ=Aj>p8)Dp`)zaQ@uH6ek=tcqZ>tkvYva+RMW
zruZBsJW!ag$%m`_s8QwRZ5j&)`j_uhxk3$ZUS6kiVKwTn2q<k8yxNq%SA+j+0au4;
z8T_vWOi={?sDxSpdHqDg7*nmP_c3xk+)!lbm-@PrpNKQg(21|Klz+j%RXLKc=Y^1$
zUdLC-MTW>I3MSVl(gg#N0d6cZL`bj4a@%yn1X%vZ{M=Y<h%9Ik0`xB!7_HVX@L0PD
z3kK#Escx>OaGu&BfqSfK_zfD*OTlY7L!`;B2G7%yjVN3-&k(_1EjEPl?}`n*yA3A!
zYVL=8lt;+ZzhGcstMCT{Pt>lu7qJeCQA7K?RCiuIw~6Q`f%GpJ=%;vtfq5-8RpGJ0
zz<i3*!ece%^HaDR$?-a-?p{MYE3K(Y;cfRCdb3L5E1!(*)Ta9ksoZfN!s<nseVU<{
zG~Xw@{`(C06`}B1??<%pYIG&Giz&Q*5~8v5(xS2RO5rvKQdhc#*NrrM%w)qLRnUJ`
z5Jgt9?#<eTuTB(V;1m?11wOWb*DNzc@wSK1(+iY*3a1#xglUbupq#H8V@TlT%p9^x
zZw?XnjKRPHmrztV6?reH6<!phcUYZh3q&^Xe1`$QkrWXgMDX|$L*E*=_#KZ(pcKMb
z0`KFfVK|>zV!#{4$55y%CFoBeev3QR&{vH>o7}=DPc<asjD<EqgW@Ji_)r8Z4p)X;
z9zP8QY(W?wHw`=4OH&Qqy1(sLItC9bub5`Y6wTaQw5^qwqrv%=>CotzW|$JzaJAHi
z>4vAJCr~Cd@I%n1v`hJuhJHNaUPG^%zs4&4Cq0obBpeSwUy<;wtu^WS|2$ymCicSU
zL=mC1PyK_2a;1Cu;D^xKz%gp02<<E&gxjVgpU)mbpNWp-y-FchScWiXsnTStO5r~P
zKR0$Y_vOP&4Yx34AI?{l8j@I{@a+>mhwz1z!Pg{wBZW_tMoItB!%(uR%uo^LQR})8
zw^t7va<5{8KpQV~8t&nLo?*C?+h?FzznXz&b<9NC+?nvXg>N=|t7al{tq4*ggThz%
zh`}bpaV+_b;qs(gw7XEiFj~-SkHA+aeD&m05;usl51mD|m<b;rHXDuOC`W=E5qng`
zwuz?0$m+$voNY*~apR|&qECC3i$1Nya<F<f+R4_rD7>uPkj!n+#MhRK!V6z!g{Ya(
zUM-5_D@PTYI;T@d{GUA{UP--Eq)}4GKMG%c1@w#)KF1t1j8ph9<9qQ}A4PG>A4Tj}
zBFrOvz30H^7rtEhR?UHD?Hq%?<|(Y50JV7(J-z1|^gV(Br%&y&;l`ROi=wxiQ(2l2
z72qv%Fwa_))__j6U9b%FGP^`7%tcB*3{7THn{4u97-M24@>Rm8Ohgyj7W4Tr=)mYo
z;Vv;dT}8s{Lm<zcFUr_oU8`I$Bl8T;m;zcBntL67oi5D4+v&m#6mtJGgP!-CZx|9*
zuL`>GGxPbvoXk}P8s;0u(d={K*XWgEz2r7HVLmNIfEQIF#nvV@MN=i_E5)^P+XAG3
zje^r5)Tf5l{$^;)e}%@@EbYN<j~jZMG{w|pu6ADdxROCR9Ez<nh@y#q+_eDfd_8YK
zEM<=)Z;MFNxatYR6lN3cXIqFywJR<81TEhpjBj0tf$e${v6Uj$Bf_405@BM+ljfnn
zF&Cc14ERt43PC>X&xW3284|K;xBH+os$DIR`V0nc^a)?E`SqdPHW?kV$RLI;wAy&X
zpAG%GElN@11B-0D<<D3J>>3sd#3*nYCh|xZ7SiobL!YR8HFj=}xHO@E!N4M=(82=n
zcU>4pb{C3-Iii@MUecm^;jKp?&#Xf6mGRbZks(x!B5M_7F(9#4K4rLpudFgG<u@)i
zgz_be4aS<kTCjtdi&yB2U<~#n7`PbrYmp&7VYDcKh{eVwfeJ&elB#}@Avvs&#CXdh
z^idISM`(h!JD8i}dfM2F5|N8Ma=3jl5?`$_FJEkk<l~+}9ab$i497>x{!a0$mKY|I
znOuyYaxa0E2`*7)?c!>+1h-&bSrj|TuX_ru)V2gQ$HJ$z(qf<RI-WufUp-^cqoTzr
zqOX)K!D3}zqlM;&Y1$T7^TMaGhGkASj2F`@gztOWuozc!h0hoUO7Gy)>Sr+a%6YAZ
zzGpCZmf&ML!EXoDIRuM&qjO1}TD~P(Wq;4TyXimVw5j}i^8d$hXW;)R`2Uj}j!{cI
zYR%{r(x|lrokALm)Ogy%H#$_NL&W>(D$^n2eS^lr!Q^ZFT4g#!H2PG=AwoGuH8-wN
z1E>I>2*lW?0=%yc;#oE&yxBifji>Wj<4}zqYJ8)1s`<YZP&r2ZVF^VI);JtfrwQfa
z-?h`uiG>>HC~or!yUJA1RxO?idfcPMI~2G1c)gCBo;7?hNUPW-w;E3sza&}+`Dy3O
z1G@B8%M4!a=HWn35qYhd4)jnKziZMxi7OSk13l_Bc{R5Kmcq{IqqKh1n(ct4O^w(3
z^?+rc%FaiHs|y~m)Tsel#~!dOQCaC&5${l0>(>KOT0d#kJ7CFI<F#}30jpZDtJRG^
zuf}WV_5&#{g`ITTJTNez3XsBqYE7>y7+_H2DT6^{HEvbh0|T@IYv=R>1MO=3)75JH
z!2TN7YOLtvL;q&zLp%JZeZ25**m>ZG3c~Sw>;Gn0+vS$>(gky@17^;ww9YGgbgp$k
zrFBl(;}2MEl_IPgw3W>&oBQZ=>mSQ`A6Rbap2%I>4duOrp0e2)Q)kW)WqIcGb_4#x
z@YfB0-SO80e?9Tn%X@lz@8f@Y({4--!$O@>V2o#l-uwciw+HjRd5`hEfgx-Da<`Fx
zxX{=iz6Xr_jOx4lZg1q1#ueQ}bhvlxGscljk@TLaHlCjo5}O(`%KP0VBkO9q^|6`O
zA;YXgY<S0L%eg*lsP|$Qlew>u?(6LxWwPFhUx?Udm<CG?7Vel~!vDJBb<Z%}vQm1>
zxH4d#Xj1#>*sgq~U5_`EdhN^{DoL~KJim+iIp*;Ox|lN=n$w^+uVu{TtqV2(nMq{^
zZ;HYE`hy{ld{cbR`_(M-BuVk|+zRt~y$G~&$1HP%_l`%+Uvw2wXL;u1=D8iC-hJGB
zKU1Q-@e9pI1{h1GPk$5x!KIdEN*gb?n)~q^|Hl}{w?1X;+AX_YiD{AQdD}X3KWVCt
z8*7Y_-1(ZZD<8bxTm`FIzux?esa?q7pRzp&9-pS;?hWQK{J9s+7L!Yf`H#4G{@IIW
zyGfa6ozl5BnuqZz8_X8w;B6bs5t6EF3iEZuc%Hn`oGU$$b2Sj@reGh|veCQ~DLtFa
z;{QDGZ88s29sE~7o6YSEFC%86{PA_>`UHn4SMc~->eM@4)}(S-o#tZm(my14ybK$s
z(QqF|`))BOhqY?a_|5ee^B8CkY%vcsKbRtd@h?O?g2#6nx$z})1fTbkxfdV$k~zjy
zE+X(x6L{3c9WR+9)!UhC!T)sg>X%S<AKtW?u{9F@HtrIB%gg3|<{3GPlB=!xu!lRA
znK9H}Hpl;GOF!Ji-7jM-HF4j|=1Bg`E9QyP!<F0y7e5Ava}WRW6>|yV?f)>pV4i8v
zRCf_>@Hj?f+dojX*-9|DMGJ3L8)g>vv!i<ik3VHm!{@lU=T&pRZnLeLTpQlMneUNi
z+qreC*@<1fXRG-c{I09~1C%DW-du}aN}wLYs=~@!-NLnVe-{&el(Nk{U#iH*&q)D0
zx1rb-sQzo_cx|I~yrPubUo%Idqst3W`SRDypP@$iubWRxvuxb9(;Uy8RT!d^x0|yd
z<lb&pejLBuJWzTJJE867!O~;+|DxVNa5?uEK>Q3h8u?e7j0QgY4YL))+Ea>gvh{nT
zh41`-ZCq_^R8<--7md@Z<<4tA27>LBA9OITOw7hM{@6~kQ6@2=^9zYTaFk%H33NiT
zZpo6}VcA-ovM{LWOM=*`1Z~RK7y~nHDJ_V$AS=@aVQity4*eLwmZ7DzKw<WI=iGv#
z_s5)jp7Wmbp7Va5`!V+*c|qnlL_7<hKFT&1@Rs#v3ulMuHlCyENAx@{2$NI$tCeF5
z&3XLyFs*|rT3cx$7qpOr);UBXI1Klwf}^!SF-;t3p^CXGB*Zc-E8kjEwWemq9oHpf
zh!Ro%PQ8HNZ>2>d!&a&QS5q7MC#3(1th)gjI~DifRnIoq3qBom08TX7MsDd`hYA01
zl+0Y!2$5_#OikK)lMG$J%i3u!$UW^4L|EzNKs)pjQ|E6U!MUI9FT#+sJIJg3!@>Rz
zC<;Ojc0iX=4zAR5XU9=@bwb5nj&#zWH0*Zuqf`bdx{e|W6bh?@N9m+FCKJUmBL^q@
zkHN*OaG&fLrqIoiV^GaTOZ_*rLfhzM_csWEP4&kih3#B=oa(iIIXQBiUZ6EI{$>n?
z8R*~ADAhO>hZz=ve}}<7aLSTi$11y}TB~!cQh#=KycVwWICQq6i_B26rwidD%=Yf|
zVuIbY=DBxg+#)@2Dqg2zV%%q#z0bgXh!YYoK6I;iQCH336L1G#+GA63A6TA1z;Lte
zBz>Xzu#l55VSI|^Bo!Aa8;I9gJ!@Ba-dek=)>wvDN-(vs{d-7Of>BORD!w@#O;Ea2
z`(|9F3-dYzEeTd1S=e+6!OCwmySelfmBZjRor2xq&7rqNZJUD}IYmR-zY(q#5Di8C
zL)o*mE%1^bAp0PDPlN4No2o|f|6h7Z!>tzm4E=$>jnD$vN~DM8<FB`r$xruCk+uyU
z*aK$O?3Dsa?SbIoC}*gflmCT*dgT22tmXA*k?^Y7f0o|YK7l;M_X~fdYH``KRKzVm
z(lQ80KL>3rXa6}W=dNDL4vn0npJr=}OUp}e-Qiv;)^_Nu_o4lKAL8xmK6=mGBumF(
z7|0Ifh6}Lc`+a1gPp#>uM;Z%x@p<zcp?HelzCgKV_wQ4cy#_zpe}RhB?Enz{ipMf-
zCyc5WQDNytDv}s=5i;9>`!<7E(}|0eo3+ERolkK^dyy7!RzKxD1S>hXz+A{n`l;|C
z*v+1Pdg(!ZC+?c{Q}LrAA6ydsh`9~8e7ppY+N4BOzDJ+K{g>#e>=!p;x?WjVD&7#3
zR!L!LIhMan2GJjXK@@PXBL*U4q_WdytUZQxMK}_pSG7jGb1qtF=tFOa?#V*W%3pME
zbPF#WhKL#vcK=Cv57q$*`2R=ck80~TWR<MPX{q)(E|lX?^JJW?d^%3HnaSs0h7s(-
zTrVS57;~M`=9B!@WoSNs0DaQB8@-Hl`py8fk-9*0*)@QC6q44Ck0B>n1UC+##}k7v
zruIujy!9|t-akM#ZFh#!ZNVTayE2rjDh4TE+vQ~MAh=_%B#QoNkaD%p?NTX05LGH2
z0+TQ0r*;T38yW&#msE>~@$-cIRLIYgVJg&in>a8G<M0hrE(XAP2|`mEx-(2US^%4|
z1S~7yRN#AwG@UmAx~PJB6QFCfa#FBLc8wsNIj+zgIF;)Pl)7E%E_4NgjB)G=^x14v
z*pjQj5D>3|EUcjOS0Up)8THpdw#TWkifbVAv;P{%q6(V42C}_Yw*CyPQem|}gAC>-
z(3FDmM?kg@8XEz&Ns2=Las*^BtPyb7kEse)G78Mi?op66DX2@JBqv8fb^teQgzWX}
zz`X3e4l-<L1RB0hi@AORcDcG2JK7hLu-X8-l8{A0iUr)9gnXLq+$mVK!sgw87(3a1
z1ESqyQkYLL7YA;DY&!?WX%WvFqddsWHHKkc9>XwuZBmi%D5SCGF?0!Y=NN|Bm!YtE
z<DlE;WcxVi{0j4pgAVE%N0{A@4TLmRN`YZ-qAAF(n}G1A3xS$%VuS+@?i6g3!sbnY
zEW-8)a0=o+lPK9cK@Xp88Lqc`x%go!9)wON5QP!ArOP1;$3E8QBWWD6vh5av28`nt
zvIJfvx`n+)x8!)l&0FNxLU#5~f^$>~JhzynY%Q$UPtjttkrl(+6_YSFOn@^ZMzx8n
zr?A3MDTk-9Q%wqt!<gEk2nTzxuV}GiEcvf=Ix&{s#w@&CDFt3)mLkU8x2a^Vk=9xh
zG6uHr2A9^T%7U$SWWncC@wRkU6`IwnR#&ZECuc(6W`y6ibZSTc7zgjr!mPGZqaCUG
z4pNtk?RT+}Dw`%#rd>51#=SgAv~B)v8(f^ci#@5wXmPM*nu>WVs9{UaX<Cw*G@3B`
zY3x12PA;l4J;P_F>2F$lDZB1r^V4qU%6pP(>)((Xp2FP6&I;clyN~cb<&_a0MC>C;
zj@?%qD?f-k>|C0H*g9+~cUGmaRc<$Na6N)oe+mJrQ?D^SQ)9}hG3C~n@@h=^2Thi}
zWjU$HXJ=(tluCq=hWR0j!!rC>rmpb)IomdT@>nYJ_2y9E6-$X}k-)egWK$yRu_?M}
i?LZoj)*eq2WMrkbZNN8*mRd%|r~hJ_&wnnr-1|Q*+0y+0

delta 37949
zcmceedt6l2`u}Hb8Q6GZ7?C@&0TmJu5|41wVoD243%Y`7GNL7^$&@Bk)=X;2DbHbK
ztBcd|dzj3G%7RQAx;mOAmE}m9RF;!nr1B)CDU~_D&)R!GD(Ck7y?%fEe7)Ffz1Moy
zv+nCzYwbPyJhObBS#AAntWNb$N(`~ME_RWpmOKvfRFTInJhH|0hr`P(N+=*!z(GJ5
z!Crt&up1CgupQ8!zzY~a&<Yqx&<q$v&;%GvzyT2i^#BXON<bum6JRB%0SqCi21F6e
z1q>yq07Mg%0b&SB0I>u`fH;CeKs-S{Ab}tUkVudYNFqoE3?qmEBojmc6oN27iUDJT
zfK-ChfHVQBYtnM_UQh-_?FL*#upKapzzfJEXa!^uGy}2;ngF8-I3S0h9*|405^ynr
z6EKFL29QTk4H!!>7w`vy3cxsmGC)2-37~+W2=GUOLck>i`GD~RIe-ZS>3~ZKk^z?y
z!~hBjA^<jmFu>&o<OKm&5S#`~BsdNTAvg*!6C4K6WXL-RpvjQ87eJFCZ#RG@L*8}(
zO@=%#fF?s;D}W|LUNe9uL*8-#O@=%UpvjO|4=APLtOQ&~-~?PxPy@Jupc-%^!Cb&i
z1Qmdr3CaLv1SNoSf+D~)f<nM81o?pJ1UY~i1nGcV36cRb31R>h1Q7tS)`;aLFAOlt
zfH6TpCBbRHYynuma=(K|EM&Py$nyz#It@?GH{|)8JRgzg1K~k-V_Knf0YKzErWtT2
zK@(sh0S8nQ)C0t7sij#7xQoCExSOB`u!x`<u$W*j;2wesz!HKoKn+0&KrGK%K1G0g
z2?_!C5#$5zC&&RTB}fN6K#&Z0kRS%&6wpu_#)7I`>STwt=XUMcq&=P5vqF0oYR_b~
z?gl61#q+TC+^#*Fw5L;hR%p*c?U}4St*Tt^WIt)oPVKoxdp2m#yS3-_+H;Kdw5sw9
zO&-rq&A&x^HfYbgwdeKPbBtP7aeqj}GE0iOcTya>aC8{_%&28{5Finp2J|C14xs6s
zeH1{`JNqzzrg!#108Q`gy#Sit*}DNWy|cFiXnJRR0W`g{TLCn^vzq}ly|bGDG`+Jq
zfTnkLJ%DUo_DTTRx@;%FN>!)<kgdzE29T}Go(mvbmt6sfrZi;$vUS-d0J3%2MF6sO
z*@b|3N|O&DTbG>!AX}H64j@~XoeUU8X<`6m>#`#NWb3lS0A%a3f`C*bP1b3EX6w+6
zS;qmxDds3(1i@jzNP>fabb`GAGLKoi0c0MtwgbpKW_bZ*9<y2jWFE7c0c0MtngF9o
zH3yJ+%&G^FdCXb~AoG~z1dO3HH2^Y?S=9hCk6Cj8WFE6B0OKf48Gy`VRtbR2V^$G>
z%wtv|;1Wuc4<PfHl>;F2n3WD7^O%(kxQx=o0LVOMMF7Y=W`zOBJZ1&~R~TtBPXow2
zW*!GjqL`zAD+vw*t|B-HC?ePkC??nqm`t!8a5aG!FomEMFqNPga1B8d;93F>C?Ti^
zka^5p2_W;B=>%L)Vl@CVkD1i~GLM;a0c0LCD*!iBnlb>H$IKD{na9i`0GY?kLclGQ
zCLciNF*651<}ouJK;|(s88DO5!~n=VW<~(WJZ6Rg$UKe;0xFF(qfP@f^N9H~>NsEy
z#T*6PMsOH#JHbJ~T!OuTDuUgBI|#M|<`H-S^9fo3WIjhV1IT=iY66h?9K``-K1bC9
z$b61k2_W-1$_XIzIjROg=5tgvfXwHpxd1YsqbdMoK1Y=S$b60}0g(9|RRkdOIjRsq
z=5tg&fXwHp9Drs%v9-8Jm;tfJ$T%xJqFG}Qt(i>$5dar8L>S;911<^zmJyr=EGIY)
zSV3?U@G!w)z#{|)0V@gi0_q5M1O7y?9q=fD7w{NCD_|8tGvLnzO@O};a6mmlJ-|({
z60n-U31}dw0jLDkfHeej0c!~=0P6_K0Gyx%&`3}O_$xsn;BkU{z~2aR0P6|T0sljg
z4EQ@i44{c10^lJC13Y0sMi8)p;56V#g5!XV1V;f+5gZ0=A~*<WCfEyTA=nLgnqWKN
z83HfhS%Ox;W`btGa|BI*=LtBVm7pHbMz9j_0)Z2-g`fuTB0)7^E5TgAHi8PkO9W*A
zFF^^QouCNtGC?8W6@q-gs{}cK*9g)9uM;E#-XMqpY$u2S_z1!PI}At<0(KId2E0jd
z9I%VvDBvxE!+^I54gz))>;-fX>;}9;upRI&ffw)|K`USnK{Mcef+oNR1RSuJpdR2S
zSP9ri-~@CM)Brvts0QpOm<u>SPyzUepbT)3pajrGPz3mxpb+p0K|bJ9f*imhf^@)V
z1j&HU31R?;2_gUif-t}r28;{>ju4y%d`WN|@D;&Pz}Eza0pAcD1RN#U3+N`;4fvK|
zJK#G4FW`HER=_cWX23rPngBl#aKLebdO#1sO2Cf<PQXtDHGmTY)qs-(a{)gSQ~*v9
zlmSi?lmL1OiU7Y56as!F$OrsJkOMeFkPi5rAQ>R+k2nO5i~$4%gaIOOhBJ;mBg5cl
zhSZ24Kq5E|=tpoI5JGSiU?w;W2qicO2qV}FkO_7J!U?tm`V)8o0|;6H0|}Y|g9w@c
zg9$hwf}kE?Ay^5BBya+(1T}ym1l52jg1La91Qmd2f-*o1K?xw1pa>90PzZ=8$Oj}4
z<Ny*0(g8^X$$()5F@R)(2!KKm21qerco2|Ea2k*%Ky|I?d&M_=H=-^gx$S^a1YSTU
zK`S7Opc#-&&;%GwzyUb~^?+Q0m4J&0oPaR|HGn*VYQR{6xqv?qQ~<^ilmYSyN&p1}
zMSwpN6ap?G$Onuk$N@|sNC#X>kPNttAO=uK5CO0egaIx$AT0>Eg5We@BEfM0O@_3i
z0GbSGhXFJh(hdS>GNkPV&}2y44WP-8wjDr|A<YY*$&l6xpvjQd4A3Tn>ibignS*Eo
zq}2mTsc<U+*AX}Y*AvtLZXl=z+(<ANa1%iV;AVm{Kp8;^pq!uxFpZ!Pa0@{`U^+n#
zU<N@t;8ucUz)XS|Km|brz)lbbm}Nj}5Ku{Q8ZcV`cG`+q?ZuW`IYORK$kS<fl7$r!
zGRdEl=Ogk6!z?!HsjX1D03cS))Mmh)1Wka21RPLJP!DhrtOVRe-~`-FPy<**Pz_j2
zFc)wSK?Pt5K^dTipaf7$Pz1P_pb&5$K|bJqf*in7f^@(G1j&F031R?F0S#{LTF<Rr
z>*2XwmGNxSo=)vqp*;(=C$8yK?OG4d!<v7)_H5FgPVHHtJqxvGvi7v9a-()lhi9ke
z-=aMmwCCO0^Lp($MtfRSdA%l&XQ$@hqCFe5=iS=#dhLm8y{10bdc(qC_{hE`1p$&#
z<)qU9vTsSp0W_tPjsj>(CmjaRlukMbpedcS7eG@wX*YnTbkcSJP3a^rfTna(D}bhS
zQZs<;TT&B%>{}8C(DY8K2atVBS_vTgmgEFjsXjFTvTsS%0J3jMa{*-Ek}3evl%@<o
z_ARLdK=v)E2tf8NsSprPY4QPN-;#0wWZ#m~0c78jk^#dgO$>nSTT%po>|0V8fb3gh
z5Rhu5NjweE>>Flc;&H%mia81xL2wu_lHed9onS8@gJ3s+Ok(180GY%@FMv#9Vk>}5
zVq!CZOk!dafJ|Z{2arijtOt-uOk4>dlbGlPjG+?L0LUaJRs+Z+Ce8(rNldH&jH5JV
z05XY*B>*ysiA4Z1iHU`PODIh~fJ|ay4uDKzVmg3KVq!AjGD;HzAd{FF0U(o@7zQAd
zm=FY9VWdeo4Iq=4a2zm+VvYi?BsdJXir^rih+r?Em|!<xGQoDh)dXI^6oOX3RDx!}
zH3Ut7YY8}@grFWk<}qO<fXrip6L39=)d0vmCR78+JSNNqka<j~0NhMz$^c{@6G{MN
z9utZHWF8X=0k=?^d;popgd6~w$AokMna6}=z)VUL10eI55CI_bm=Fda^B5llR2pgG
zPXjdbi1`zL959Dsjsk8YI1IR*;2>Zw!CpWW!EV4E1ls}g2)uy#1g!uvpYhEAGN18H
z05YHP96;tXz8*m4Gkzt2%xAn4K;|>P20-RBz8XO0Gkz|B%x8QBfXrun8Gy`Zd<lTe
zXM7QW%x8QdfXrunK7h<;d=5Y}pV&6U2{Rz}53y&3M>J~;qBXNAAOhf`h6n>ZWI$XH
zu#Dg|U^&5YzzTw+fQJbV10Eqb2v|w57f?sA8}KKB?SMxKynx3DS^=vFngM?%Xaf9&
zfCK6Y>H%(om4MX*PCx@e4L~KR2CN~N3s_4~0a!;+2H*rGfJTBMz+VXp0gn^p1O7&k
z16WUx4)`B}WWe7EVgOA95daTC7~ly5VuOGU1g8N{5*!C?BsdCqir_F{6Tv}1Gr?X!
z3&C!{(*)ZA&k%S4&l0o(HWM@ho+D@iJWs#@tpxReHiDIa7YLkyEd(`y7YV8XTM6a@
zwh>eSULq(1cnL}X?F2=DmkA01uMp$|UM0u@yhe}?c%2{_@CHE)U^_tsz()`U*kM3S
z5U`WrG~i8w<A7ZRM*(jU90t5ia1gMYU@xG9U^n0$g6)8J3A}*!2wDMq2$})!6Ep!n
zAmD(#1oZ$v!AihB0w<u8pa$?EK{a4M!Cb%rf(pP#1Z9AO1SNnjf+E1j1ciW42=W1+
z666355u^h?BS;2(P7nh)Ob`JG5QG7~Fd#YzI6`n5@Fl@<z*huE0bdgw27E(s5O9=W
zFQA)XH{e@>?SStHynycsS^>uhngRbHXaf8|zyZez>H$3jD*-<eH~~Kq)BsKpR0B>D
z%mw^RPyskaPzE?nPy*;BC<6RKPzd;yARq7>K@Q*yK|0`ff@FZOKjMHI9RmmoXz)da
znoU`AAI^O--uFHWpT$fjlg)IQL+#m-XRdQw6&ufepGAe(Olfx2wlmMX7-6n+VN+H2
z&Uh)Uzq)y69-FKNb|!>h41q42>Du?zkT;7WliH#cC@hS7akN9RnMQ=FGv3T&NviwJ
z8_cn8D-I5&yVBK&U16bV1AvOa@D*;!#B8S2v+C4cdF)5kwJXp36=Dl0-&B~$U3p19
zgw^&dJUMDhsEze2JQdXzYGPZWXWxjl@2JXK$!xP~dn=92Q|G)jeb7#~#grueY^I2P
z>K=sOt@gZ?8F@_9c@3^+8p1XOZKl~*s#$NR4IKg9e$XN}E;?Vam}K}@sB_*<XVL1a
zx6_=1+}2c!rOIRysmJ3Fa<V7JZpthC71f`8(-T>_iYLSrC%tPL;a{wjB0db^7v)3t
zrRadEALKe`D5dR|!XR=tc}Mps+wybsUJCWGmveFl`IiJT8YEjh+9JN8zb(;b8q@CX
zZ%Pzt)>xd1$v^X71YXhv5WWsd_d`%95Q*1FuJ|?mT~Lyjhb9O|L9$VxDCymh2R*2q
zTT;;AVX3PxQA}IG4ftDQF<ES;%I_dI)Hm8?>4$=wQRrnByUFduebe#`hcW_z%S<*&
zM4WWk%Z1R!D39r>tTsgm3K<cP3?l;$yG_)3V~C6Ct>Vdr^8SeH-?vpfxfiy|lYLvI
z0F{cYLbF5~&9X>u7Ei8dMzo41a6$ZCMynL)t>VcQ3XE2X)LUiD5296GLHE6y<50GQ
z+2Z!kw3kZnx(0KLnJF=y<@O9Q!1RF`iiwe0EbTF=%^ky8mAa?n2G*`B@1!x8I_aGX
zHc{R9PM&$$MM$8w?TqEUCDP#NS)#}+8(~k5wPQ-8EP@iZ8vAZO!z6e&&s+xfXd@hB
zEhPlhhSVd+%_`S(O__+G_SNGYxz6D4CGP%8a0nV34I0v5MUTW(cBrEq3hIWQOetu1
zFTwmZ5_GA`dzlxHaL1%}BdLO<7gN#!|C-c{r11^bSvIw8Ps~lbk-k@Ca$YjE+sH&n
z4uE6<w8rK^2AZS)yJjT_`COs-n$2!&n*5(ND?O0Ra0bu(j`0!RSMFRjQ3B-~$SFeO
zWEC1MeI+j}t8x&MvC#MxG@AO#_0jmgx_M8+<olpa=_}Po+Z)g(L)&}*i?*$*<^2Tb
zENIL4FWR0$2lhsqfBpg*UsydRSL!R<r+kk?w#OZ9H?1C(t6*S6qZKAYe?i|g7nXLk
z@@FLKhVsWTJN~JW`Y2xxxqxWS>vEy8_&=*u7DKY@lbL~7%$q^b?EIu=)8W4IeKc38
zwht1n8w#!VzET$!RG9{?9q-NzD9~z#);aIiY&t6BlmB(7Mxf%?sGC1XnEWfW*7lV;
zr&UN@2CePTHU+iM?JIY#j6!a#YT27`%@@#C*H@~Kwh_?Q0&Qc&O4C=akG2HJdDONK
zVy@|cMo(YKJ{ku?vJo2NpwZS>u8&3ua&ApyD>SzEmAp`6@(D=RL8Dj=OZ&=Qs4@9l
z$hm~Z>()VIM_<W48b5(#?I#tR4m*RteIxq3uWTQ!dm-!4v@V6#Kwrr|T78hLdbeWJ
zQE1&G`drAKUu@24#Z*t;23b4CX7ts`l~CK;SM;1(A-V~o<xu$|s{c=exR1*9s$*Zm
zO_)83{9m+*$x{q%V)A74mD9Be>yKsEOy&b6aH)ZP2`Smo9NRZVpK{)%CU)kT=Rhh$
zwd{*AN5WU2Iyw{BP3kJdl!MDvcW3&bGnnb3W>XO2fNXT=ux@zkRHZX*P!tL%mI5J=
zu1@+eJ+3Vr^99z>@=BO31WT0E5K{@0Q}K<u;={+n+ucL$KAUOSCN*|{^3d<Fl=Y(R
z6P&?cPYE*&_oO;?f99p1U<)KiBE(#H3Nu%sB}YQqm59@-2E%XIpL10c@$acy_g94P
z6uUp@^Qnmka?CJm!#1j=2hy@jkXq}QbJi>R2pJYwuVE_6)D@ZZ{%uIxq<RjdUD|=r
zM-b{?jeVrP><t@-VNf8N_djU45AsM?aZAHTMdo;9S*lL`DE;E;s7i;Z77V&pE$sVF
z7^^8Vuh;-dd;fP$2mCdgPJ`#G8$T)xb=XWvKQZ;LqY0|z^TC5>wWAQCsMzkNw5ZC#
z81v`wVHfaTlv;XlNO&@AXE)O9Qx_b}Gh5C{y$)ZO>N}WjJ}V@&l+Plp8)ZuyREHGD
zMEQ_!s9MmKX3j$;dQ^MY6!wt18C(n5Ue$IqM*Y5PVE8Mr>oU?TX!tlG<u)j^^l1-7
zp5GHBJ*`goIJJLGFU0(o>fatwt3J*QS7;Bb`ah0Ix(3?os9mT{EY-mxgyT-<;{@hW
zk9|CzscOb2nb|GaR<aG&CpxfQwAf5FHSVxYr_pk$k7N5N_PAnCi~VdYN;pt;eUfL!
z_(f~weiR*=h+-Jc)%{7r(7TZ|xGcmKi(O}&zuaDIGcEC}v7dg=hNvNjYLY@R#xa6Z
zzjuc<A8xQHUkJl%GtIac^$QmY<Jk(-OR<^yTf~kWLn45|j~<eH)Q&^dk(Ij~vwcHN
z687nZ*yU%BREs}LA5?HbNV2;0v-E8AbGRGRA$}dsJ|Y%%OMv`Z5#|i`t`k!w65;UU
z`s%ZU{@YNI0O(N~9WmyGD2iT9OBTF7wfOUKQmS8deV)Lq>iW-zNvXZ+Yo8}Ou?aWD
zKD0L=i!%Sum)pfD0o9tmsST$N*9OI8EjERUIGd@gNw_YLNp7<#CXq&L)<qh~KQ7V<
zd8ybGuFFr~Ai`FUQeq(&`vPPsALv>oWZVsd6;o<S@HY`@GnJ>SRfl)uv-#XW9{Wh0
z6G+F0_p1VF>}9nLAy=wj!9QM=zsP4>RofS7>}_?<7imNHuI)C-D2B}$3~Fl8ShLji
zUo2;ts&b@|6{~hU{i^546n0WQb|j76s9L@}9C!KOF=Unv@ge8TnHTu4Qsu8ckYuJV
z{W@Qb_&REu!(VPgYoFaD%8b!vw8y}9y`BSKdZ=40T4(<*So*2(%odD39A*xPaJWy2
zaE#$!g)7=itk(#C8#zq5yvWf0fQY?7d%a+rY2cp??e_@2K>Oo{_NA))O<H)BUXl1)
z)Un?bv8&Xj-%Me7YR5Op=31L6u|PfcO~Rmy-7$8TI9S<CSrgQ#qv;HnC!fS7igQJK
zn29x5D?K(-e6l-6=@6neOa#?&bi5fyO$B!UXliJDKW&@u{yqvy;@S}I!BP;b4(uKf
z`I9?(L$^CRfDGfF6zjO!_HC3pp*w<otxoMu_`?OKgSbzTS1mT|J~2f4t{A#WYtT*+
zar@Nu-RYBeLo0SXzi(cBnM3(6(yv3Sy-z&SonL?Awy6WZO}O~Nay*L^rT-<xlZY=?
zQQhIFR4J<4)>n8#_XX<LsP1nQ%$Gx|098+55375=%^b8!U#H{5T?TF=zfB+HFhcG}
zNQYYRUA}n+e7Ffi+$1Be0wLWZW3=-i(f&Q^uJ4+}qMm{UB7PC~rL$OhXF1M@9kzIN
z)%VGl*7if2$Kg*Ld&O~B9DN&yD8}*l<hZ|P<|;^mv$<kw>}Qh1X|-`k%4V!)CUyV!
znatC0EM9^kuzi<q?a&Jn8$gb2m|0Kgi;Lq}g4qXbP~FFJm_zj)i(w6F*RecI(t-cD
zS>13jR*Egg<w$yTG}^As&?2n0&{9lVA|hLiC}B^8#y_ej|FIG_X6X-w=3UtBOjLb8
z6eZ0R>yxOMx$tDxh3ENYmf5@1;m0e&H}6~$aAR;-)m6twi_*V#d<rwYDEBn?`$M$9
zsIsdaBVM>R)54<-+S*%f5!`k@{0q?phRo;cS0~cgKUDc-8a^M$I+>mnEA~|vOW!XQ
zM{|^{p)ERP*rqVs5Syubi0U{wo)xH@PbQcLp~B_ro|8GuuAVtL-h3-o-bQu8&&lQ+
z;q$BZpEJ$H@C8&id=ud7Ree9lnEwEuO+EB;f*Jd@G(|mw6vN>wSCv!A<^;sHsgq8n
zMPAw<Ric!sU27~USQ!=$RBKP=m>J@I>Sjp7pry&GAHL)8+0>J#(&8N0z<iZva%ZEn
zQ$#J-j%vd#kYlQvdpeJ~)j6l<o4t^3QTLxNF=OYE)~;ssR<jq>#@;-$4XJBXe{Vvh
z1HEL|^EO4=On1&#&-A88VjrARn|kVv58KeLkZo1R{*uG4SLggP@sH6Mw8D19lNCoi
z>YUaUiQdGLqs0#~Ns}&!AB*^2HSkLzZX}dn$6p);{jpd%@7o#Ed;qO2tW`YLNb^hD
zDps8@_@z)6u8WjQ5kEp*^=m$>R(JiH$GX+tUvtbjOyQfftl!cj6=AJ9D>m+4`-cEp
zuewN`^IMwv9mE%_tKfU30eg0J>u)*cEeNx#-M`HrfkTNBfUTV*>alj5U8D<jn|(6M
z)P^N94lPlq)}Bc-!}en{?12v_ccn$`IFoF?3qHSk>`Z#f?Wl*_waIRhih}*Lb^LAD
zy<$|0^4m=FH>hKO&otivsYZ3q?=PCg-CvuUcs9-4;SBx~uTDC9ZFEWxyk;@%{F9D!
zt^I?7!YnYUEoU>c&uw)!g!&?}5%|d+HOq|&ZtGPlV}DgDaqG6=E|CfvCTs~Nvy>+>
zXcSR^$ih>&i`B2m+$Nih)awzKvDU`Y%nk4rudQM?jBsJiiQKtFLHzL@D0J-3nM!W|
z4%=XSe#5YaTafPcZ2^`U!Vd6(W;WjZ9MZbIQ_ZZQpEN7Wiw#DFnKgNBgIRq)_LbKk
z$v*AJqB-~q?+-)SH4<Czoe<0FL)o3&eiMu0fnh9@4dDZmSu?Zqt;sAe(t%+UvsF@L
zv9Wq3rm~jzCbL&Xtn%+;753PbSEC>;#+Zxg9IVLb6*@>TXRzlA#QQFY5C5n5OAz11
zJ5pFWbMu}Q7Gu5$Aw7IxDndMZNG!&!%u6o_2}6j&*QByS^C@@>c$e_vJ}j-2C#JD#
zbI0l*(yF*Sjm5-?{ca3KpNVV<MpqNol1A=BG;8EtX)I5S$}|_Z3};2=weY(6jNz=B
z{lmLwIJ;p0OX5l{OJE;(C*-nxiK%??7?#H#@wSX%$!6B(?Z{_NW}b#j+xgT#vgK?e
z_y3Wlo1ay&d0JN>CGeO_*qpdqS9hBdT^?KPm?~3fZ-o-O^A;u68T_uyyXF!$pRs4w
zO<-y4eLj2wDzB)4Ls8s5fmN^=?wi1(rL<n&HG$=`7r5n8_AFDl?-G{Fk6p^fV@WiG
zhj>daV}(qz`@QZ$Hbi1oeB<Tl>K5+5oK0bMJn;&)5=l2+fh=lO$M+ZtS1{NbZkY%%
z7oRW@_4e@16B$R^Ns|!g=8Gq>iD;?zNh}#6U6WW5YxgQwGAommE<W}ul+nl6T*YpY
zly2U06?@g3femK|Z!5yc`5e>R>MybvW06#BrfJXdlSLT*1<v3%8+l?e+BJn26r*tE
zd_^&PlGXBz$?OKUgD;)TRC78eYYUIM8UuVVymh?xYLt`ljaQ>&3g3S<D`SUw))baw
z-j9(}%I#Co@Ywx)-N9E)LHFP-LaLj$VZ(+-@LbA-%{P6Cz>alOS>B}zh6e_iVrq-g
z2kr}_wTm|_{3)2xU$4VUhj=WI!iXvUtCV7wXVw69j##Y9U*(ReXpu*_dny|hDwdG1
z@8`a$XscQtat)g&rFL`2HR#e^e9bj1KMwP|dzx6FM4sYh21+sygGS+=o1`^-!3)g7
z>#jxhF5+9SMH3WoxrA+JHr`Q!PAlc5rKqf(x0IrX9lW~~-QeQ6*MaJ|LpY7RO*n15
z=Q=hDCla1`Jqpv}wO^0kX6?N02E=x7+-K)R#%_tW_lQDZZ~YSr(Z%H(5$oo~H?n*!
zHekg15!=n(S}-P3m)Ke$(Hod27?C%k6f#$CV(D>D3L_xxG=;UnfUM283j>AK5d#5h
zP7#acEs!$jul_+n$K8Yq+IYsztOjGpb2D2fhLW$0rSa)yY#?e|Rfe+L`Q|btZR01)
z*!`%qqa0<d<89?=2@jX2p;z1ZglVYWHGIxAOd=omPlM(TKKvGTx1{)a<1L8X?DgHk
z-quEI-3)d;vhp69!QNn@HwDr6-Coa3Hl3jwXDZlX@eV9S;Q>2aZoUSwz22%>$c+_y
zeU&W1Y~G6KavqqA6p?&F75m#olhCE6;J#7ihU+ri^@dw&xSQAA!RDJwSO0)v?6`xC
zlxE4i@eVY=Zf==}mhm`)pC|GO@Q!G+nQnLirXU=v)%X4-isBCS#lhc$%zffGhWN3(
zZXUZ~&`AXOA&Qmc^DB7wJXUheX9((s^p|4g#k3pP5Y~JGDW*a!aer9z>Gm*$Y1Z+E
zA`#|C7zVg$jimHj(|`M!HK{Jy9VX5)H{|mb^I1g-7RXeYj+oBiXT7U0gE(HdiDVFq
z;UNoHD|>)%U4Y4*0g1)@&;m9-PF!2qUbrl9?tH2biqgk;?wuIwc0S`ymY%&vlmgr8
z1D!MNN*jg`jF99nnpI^pl~y-|`oe{OZNA8=^fKOtl;*Ke?Bant*>thmlnm##h3vl2
zLuU}|;l71fNiz7HYK)-)yrr5YM}FOaQ;+|uSyf^^LV~TltD5Cp^fZRCysM(Qc^MXf
z^Y61t)BUztRnjh(d1poQN@ws;56^XArB!%OHLTR5NL9@1955YAk)e<K9D216-Nm~R
zdU3gU4d!~v7d5unbaa>5W)fY2c^}t#tIO2a2p*aSWdT0*F7_lpUCk`!Ol@X`+|5>+
zVNYQn-FLH?$cOz!DOJ*L8x`nU-hMZR_9Pw<&Lv!4#O9j!qUY=Q;zbx#llZYkSXHgO
zU@>NinJ-w3jl)Awoy#{bW<^&n+*Q+Djmp(@-fEZqlb%3RU%R%!WD6H14MRyUC}lrq
z@KbC@)9N4_D`fG0Z3yIN@Pd2L1US2;HFC#27{gb>+s@bDgLUy~{@OikVv49uhac%M
z5G65MHuX0R0n6^;J`Au@H&>QmUL~UBZf;wGm2M*MSi<(A`x<L7+e>*@4f1e1gP$~W
zOD)SE+TxC~(<Z~}4F0?aC3Wx_wJ;?PUR#UW*7D7@XpP&k)U@!}dr_DUUT`m~5KHi9
zw_msfBYBOs1h?JG3Ww%&R@g20lh=;5oBZ%&oHX%}``G;O42;lNn`vq^uf30@N9Jsa
zNvT7R)S*_W#niLB4Z-H0#e%^P-G`#w#e46=x>3tZ?`IWB+fls?|5Y{&;HljhffnJ%
z{J}_^>g9XxhyB7^v((ykOVJh^;X|`5WqC=oxxxkKg&V7ryS0vXEX72??l`5GdzP}~
zK{)iLRAJ)Ry@VqJ&vmkR{>@TWK6-;?m&4XiGj-bHeey5p6tu;mn!asuvQBFY<pnmw
z+wlPVjbU}&<z(rD>hwkbWGFJ|;8`v<a`3EDJ?z9U2n&d?^g-IIeP{3lE;&<rxLpJt
zGo%h9s8<Ay99)@bgmt2xCM|4q<pLw@EriK<>tABL^^X@;XiIeEA*g+0^$)2QamOPJ
zd35LrY}N4Xp6{@Y*FJ>Ff)%i96nDJEM)A?h*ibaR|6$me70WO+bG2lcrHQKT&Ct+P
z9KH^o(q+%;vbxF`WZ%tmm!kvAy;GM9vtY*sWE2|fry69}z3yR_&c9#52AbP&uKs}A
zzQkz2X?&J;8i!Ofq<nnr!)&3j{~I5M1)t%a^N84t9ptrjY!Q2fAFIOzeUi`l6Z2xo
zCO*na*i63QQI>CZIfEZD-ts8c(so|{7#k*42E4V80a+{0_%pjUG!^@d15^3ZKf}zm
zbN`>Q!e#KNzc6mbx{_AF+y26y6?>sH7q{25zeVoa66y@TjHS~ZDo!B#Kjs77sNG<m
z;b!9pJ>!-XixK1F4mZZ(axr1~MmJXHuejgMny&e)xDD(7fh|mo7BLT?=5KA7%I6Kj
ze)sCj?53R+&Rz`eB(Z`oGdX*(*^PVgHVZa7lV21kJf!<Ge{D5;lNZ&qC^JSAb{35d
z>^+vq=cs6!P;ZyYo|M?F-lgl<3C2F=jz-MhecUaacf4(lEFl!T-aUWET3pQKCM<nb
zJXbh%yj(af+$9_zZ)t*s#h$`1+|(@Ycm?O4fgUylEv|T2yrlH-2_BXZIb(>nH2-=4
zn;X1nPjm1p56jFpR_v2E_nmoX2cXcC{w0YINw9r8=3)8a8MrVxhI1RXMIP9S)ff;3
zy!Z)h1WWmXCt!10b~;?9<)akK7PQmLxpqsW$%Qt`+JLvi{kI}4(j@M-v;NL^J%Ixn
zQf*+F;dN_bggv}+H1}*^IVp~v6)7$egf+E4?#+*XR4!JR;>CPSPd|vo^B#yfUDQXY
zBsM7vzA{{k?k*f?aDl<E8LnS<@8~h&jm^!xu?F`Va)w*It8cg?L+46TFmI0@K>Yvg
z8W~dhd5(1(+1$8L47=E!6(*A}!<Ix<wwWejIBaCellS{)id*Epo&K4M+%r=gsrT*`
zqgpHrIBr{T+zt_=TO>u-p&=(dfsr03z74{?@NeRt3t{VdH`EPXFWMZz$A#+~WfJ0?
zCq9LJ^+#eILoODvIYRI|e8y93{6&>UiZid^TO2WU5H%keBw@?N#FSY(#v{UB=Dw%I
zzE@k-CT+sG(#>~mV#hC%caBsN{Yy+Hf2e}>Q^6K|Z$Gi&#w9@pc8H?X7<eC?<%gPa
zc5CE|TVVa|+}DC*SqhE<Pvhw5@!t3}B3Xj>*fUsxn8iD1Gm8+byr&h*+TWhT&Koo5
zIc&LGc+YceF3!5;&tqP`&i6cz88?^9typ%h=QCQ7+{5>`Vu5_uo7=_?vZ2%0UeZ$t
zb6AT{j>0h@SK3UMujYwcu-I^K!4}q!vFrGR7ctp~ad|7!AL6d9Sei{Jy+urw=+L9$
zdc?waZAB9(T;7Hv=W^RNO#T1y+PASL#%kAjaYk>!(%Z`0-eS?Il~^&qiGyKq!Mx!*
z@4S`7hi-R6T^(QHg`Rf)nimEddoAqNy1l4HDWA{|&E?#&o5fqdc^)w~X}3ug#lbgi
zTX|hO`vI?Vc<sxOw(vbKv+6iS9GApE!6!~uF*qPy4C%}Hjjyolt(To?u+GjEuW`28
z#iiZ5*rmO~K1Ca?d6n&!l4^S@Dm$FP-FY<j#Hxs)fv&&oK3@9<nqwa{xVh&I)@=S5
zOO1z5-Oef^fA*zU2AsinWPf_4-x=KTC;r-YTy%IK;p4eJZ0+2ryUZOvRu-o<0|r&%
z`P;uQU(?pwfDfi-56|6!rbunTddFw%Ku^T-{X1~Ja`V!iSUWR#?M`f>a0{@L&1M;1
z%bPghW3_ec!jfFe=e(s2kIiqfv^de|*tuQU=$D|>N)_*Zi#>^JXk5+W6=aS+eJ14a
z^>4GsFgP=ILx)YYd@}mMy&I(p;ep*4DhK(Q-RQ2rddGIK0Su$S_6|awe8xMh#EfbC
zHV*Ueppb3c@)?Vc{{pvviVvMKUF($7g~#--`NrSqmEUEvaUaMRypL@d2G#pmfMa?0
z`xslfJnI8wV&ii@z;#Ck-~R#P+Ia5=?6i5z8tW5P{N!F(LWj+C>2RLm$6<PdpWo<b
zsZyn%*ZNsncr7{&XWL87e4`(wDd&6qu+>NW{FsnR^>fQUU3%<3Y+m<6r<*U>hg{0J
zdmpZ)6ufm$q`N`!2_1HAhnHDqVZ!bcM&Hi^LID(obh4bJmVOv=F@2K^K$36PS!R{<
z(oPnWWRJu67aAXtzYH1&nSl^-Hd<yW++HpX;~P3z66UwBlcn}g@r##Q&S0Q`yUL{m
z7U1%S>?;07Cky9gAF`#PFKof><4ZhpKTF^zKg3nplYAijY(3A|&*q0dglOp{zVBT0
zB0YKm@7|BTy@lr<fbb2x=R-JCwYZ^w^4Bz<ZXT1X2pfmR58e6ZI^K8yS2-r$aRBR8
z3Xl2-h7?zqAF(MT`iT|Tc<&i1?&ZZIZ!_iZ72&?oc1*B0OTBF$;l>S1+1M`jy>OLJ
zuwbz~zUEVepW(5G*kk6{{=XK!C-!QI;&Z)$+<yqmo|^{_Ax|66`izyCOEIe+_tt&J
z>Lqi=8tVo-PYhtG@$3xSc$B*XxJtSM*M_ltRRI0%;9G^`;)ep5DQ<500(FSxHsN@<
zLpWGdg@X%;FW4obLkAvVW2DM%ZqwXezW4}EH!|NU9EG1e0!6tz<4a71c3%6XHa~n{
zV$n76GhaecInVkEPL+4YS7Ktgc-7bJIC3ff2BIeJ`3B{YdB->GFf(~uj$(LYo&~zG
zXa>BlZ;=OteBVJ|20!y1n>Z-rZ+UhL-pi{t)41t;>i0NFl%m=NeChYBo_)v%9z%hO
zx$PKEWaZwDW8w~^jVnJOHxIA+L91co56HBG!%60ce_&zK>;Uf;60tn@I7=T2gY>a@
zrGCyLYrAkUaR+~b_ikyu`eeQMC+<EDg%<8R&T1kXed(Jpl9d#H`lbkX%<M*9+=G6~
z<!gFS4IAIz1H<Iu6MjVZ$XLW;dEJj}yx4Yi{RYJD@JCEu54^T@KcT`{=zn4_q5*q;
zVlh|RPKBnJ`k4xY4H&?9(PesRun)!*Uw`7&KTMa5aO{{*Sp>TtRV-4KDHCC11^)rl
z5J$#ex%~_qHSg!+B5YZM_98#Q<*|paz*3Hqn;w2}4qLu-4s*F(3`abxwm9u^S%x4z
zmdqrS&EyFw42nx>&p;&@Sk%%g?k5^?BK+IffN7n@6p0N)9OSSFCB*SFXV|b&KfmA5
z-yUoTQ$kuqIpIfHIz$-|CX2Q-!jAAszq4!m|J*7VYryM#{qGojKX2#$-`TkS;zI<n
ziSPXjx17Mua&H~aIKk3FW}=upX9A0f{-_?ys<w3$n<4ZXYTfk+UwVRNCN;i<g#q}d
zQ|ZkIPo_72i3(@>)0;olx@s2`vHN-V33Nd&4q5-;i6_}a@v`gSr+m&y^s<$&Imx~Z
zxA02>(0XtUcm0eTM>h^W1H@M)$S}$oJoyIiK=7q7mIr=GL#suaOfrHuZ@}4KZ^d6f
z60JyI#^ymrv>>iEO$f(eIPg86aEgtaci=NO-c&!CC0;L{bPGNIF1`4IU8LVOx(#v%
z{LrC&0fkRZ^n5OO+l}}R#9Ppl(Hn8k1Fm&Pc`!TTr6}HWiVY4uAimwfK@u1Dp$F!o
zF%fy1jh=U46NbGF1wdtv-rx=~g`-eqVt5#ZGEO1qU(`eSU$G_VMP^YOLTn<l$#@0T
z(pMhe8eu4j3LqZew9UqSm6kW&uqf^N;ivmFi@<eNbR||OaTv1nvIyth?r4wp-5V;Z
z=N)y#Ep%<dPhbpvSomglp`7@>UWw|PZ=Z5jK+X@jA*-``LjQ~0O_1x*<DEvPeOvb$
z2>75#y!{IKFN!8YuDwruUp?ay--biyKSb~JkwfQb4Hl=j*u@ZR!41RL$Pk0_#FuUh
zA3cG^Uc3Jjw4d+aCe>38LrM=)bRs3|E7zxO@EIQ#GO_eI_wT@okOr60-+lVe3|Y5m
z!v<6z+uIi~PB30hZ2M2+<Q4pH6MA3mKZUe)s4_0e{=*m<pcQ=oF$m)I0S3tx`~Qkc
z8XZFYQRz89p!R<T+1fsp!=Sk!{s3R|D;pU)0AHTi{oE(~Q7^#X#gF~UMu*x1Hk0Km
zuKb4Ui>P{pck{)+u`$CeJ8^H~YqX>-S%)8cuCb(@YQT?g#M)#tnIGo6eq-aaXA9hF
zRYEW^bGMCa!<uqpmA-p^-HkoL0<@7yH)EsM@Yu63Q&(`uS!}T;yqu$0aPeVrHJf6g
zu^f{9k$N2WoMnY0kawlux2VP2RkZ1bzg^}rtqa>!0d8Frwy6vs4c_1ko=)T;L0Ge5
zK2<p5_?jSI^oV`<fd~1nAU5lBv9X)Mj|JJHa2fmDv<=o-mbF!qSKNTN&*8(Fv>ax)
zMK}w*S&~#H4OLKo?dl8*K|tSwb?)UBY?H$4bo}sbZA%vJGw^jCjSbs}TXi(je)z0N
zn;QDz2Jw}ZSY*<)ENaC$6j}5bO0ME{W@$QG=>5tpVJ|SuJ3LH^2*GQUu>(-JEZ#mq
znvI=8;y@|LaOz7OEakI@`HgTQYqsL`fVk%rO>HxcTEy26mgbvVG3pq%O_Sn7{bJ8=
z;#m<=zPQN6y?j-KRAGJzq1q)#bm+d*C`$qFj*#-qKOi`k!?5O?aVwZ+;WI4Kr)-b6
zAW~Y%*gWpDN-wfY`Qjnc@^IVEny2#dvx>xZQBrbB3n*u6s4H4*hqp#Q*-JZUgr_@$
zFCOK#DCse_nD2o!>*dFyq~q*K@1dcRlVSflBSxAs2!`f^{yA8=aezL-x5h|0;oqY`
z3h--wEJjLaejXJo6^i@4z0-JktdwS6h;eG-E_jp55jvZ`e#DwAzJSD<`~H3I=r7B;
zFIGyAd=)L=5s2Ug`B=7fyD%_LiqS54+j&NuG&j<%&)E0HguvRfx0ZY2q~t+jZ_p-e
zI#Q40d*Y-V^Ae$OUA&ZFPDM#`g}R(Uvk=&h&prk~Hi<h%NYSD17a_WU*T$m~+1wM4
zwzeUpn0FyTcpkhMmV2jgOM;X>s1ifB8>pb9y?j!FRCMVzYpfnzB8@!Z4tvUp7jkS3
zTw$gg!k)rb<AW8*DrRSiy&twZW_-Ii60Vk9yLYfBO34?mZ-@@qN4<-?7>GgDC;y@f
z@emhxA2EpU<gtlTX3|VFaHFAFf#wmer^KfZ;+xD5y11r!2{c#X^ORT-g_K+Wjpizd
zUukIG%-f*ZT!7|u@Iaz8-i#BzlHpa7q`eFq)Sh8des*p<-uj3w0}`RZKe$(1#UPUq
z@eK@JBOwfNdp7eMlc5ElabtY1NtPxK{ZULg_bqANtH)s5H$)t#o<HV2mMj(a!$Bh}
zP0ANjah9p?RDADU?kK}c{rWUXF^dl(>iE_)j5qOxQKL42dBSjMpc$hwt&V36$21YU
zF=Ha_@oN()YlbwEKQmk!WX78S%%<0bSi3fxdWTE(;!|A3%~y?(mWwYcly+~_Na<B(
zei{C5@BVaYQHa=absYI);VHaA=@9SV;<&98N*~OU!p$Fw5vLET4j0nk7DmK<fVfD!
z%1CYR|AFsKVU2Lbv56nckrL%~)+0V=@Vy2;Fk70K{e;+;;WrA+!k`+KqtAX#AN(C0
z?Ngx74|lc{am}CcePj#LssBql{FY@FZCebz_%P_)7O3NX#4Gs3FFLd%1Lbei%RhQF
z>W1AIc4oFT%mIu3(xKxPh~R!>v@|8IV3%W-%Z!?>uy{-lXS69ROs;+_EKij4{iD&C
z$&k#@%y{U#L(tr~9m<i?h88qf6c_HiocIysRc+cbnR1M`<w%*4wHSc4G?Z|IgGD9>
zi&G~bm@B0xwf(#7uw#D`*`M^5=1N5a*%aP50V(d`?GrHm(8;MTZ|?-Dgo)4BQcT{d
zmr2Qz_?{>wmOE_H>~MFA)-!Lu!4KJ_WU=>t^Nw|wV<pFW@#dyXtVr&t6cJj+i!a9<
zY1DdKm=6B8%Q5mELnS--W~9hQAHIpU6n9Q%mt&A5iM|Y@J#o~L4x`QcLGCVYxkAdD
zJjXp$bm7?r=t5bD<L5nk7o8W6fcPy?t8L!S#Uq`ePQ+i&S6v|$Wm66kf-Xgp7NHWa
ziglIelZf~~teYq$I4K2|<u@~tqOs5TJD)<try(8_;cO-q_S}B|d|`zgPGXgH|3yzE
z;$7(|*+qr?@rhET8J|aB)U{2-!uz`zaL(YaZ+Q1a7?VfElE5vK;B{eNRn7}0p%2i|
zJ3r-Blcb!;3(CK95A;^8yHbkb+b2m;W*@Y+;0qk|YAh1W<7Xyek$)PKt()5?<M6R`
ziZoy-zIUoDMfBg1F)FuH9QWchCC)3M1UH44+}iPA=cQ2Ctwp_er4)PXQbb{p{En6W
zpQdf}xvoZY?7SN}6u6@T^cof?ww)=W#(kOyr8++)cizTrS4n+(XXkXN$q=?2w_#Ca
z%QxUQ4C-WTV6~0+xxPNHPQ*_|S_MVD5tU06*`AX#iVDj+6swGoy&ST!VVVs8<SHpL
z8(WYRZ6M*NG_)*fWgQP8B*LzHC(Z<w7Ia%Yk1c{hHFH}Lx@-Va7V|2EXg}!5;A=!E
ztY-4%{Iwz}VbHG-=-vYJf%~L3{#B8bHw|BmD(HvbwQu*=j!{evs2T><L!w_Ikz;t@
zTU6x!CcfcF>lJEn{NE{77Tq2<>-Jbre}mUijH^4blJ8h84#v<2i@D<pzJ9VaeyCIQ
zGqxxx`mu3G4q8+nOZ~2vVzr+!v~%TZDQ3h4BW}kW49`H{uHAu^PHDp^iRVkMmWG<I
zcSmo)7ePpQ{=0KzTa1)`XVCYn$fwUhfcW`=u;Vg*=xQn9@(VK^i=@5_e)ovM?ZZb}
zdLNyel6}>r^MWauIO6&_gHM<urG;bF*#Yy6-&;8jH>$bchw$8~(m|HP<!i8hPU9KZ
zVEtT=R>A)C8fmXs%u^iR3D-*XS{vdP9epAC#2MVag&!(`N%g>coX3`;j~|C-*o{)`
zy|CRC)8y>CtH-q|hV?3yBC_Att=`!;R*&=i7pu4ZP0V|no-TlN*SxG-y|d5!%PMri
z?|xB|R;0`A)3UIZ=UaArGvYHetGE3|lvcBP>D+mpB!{agG8Um7OS$_xDLFg^4UR_M
zaW_{grIFIkTY2C*)N!^px;0CXc|9zFxVbRQ-Hz#+xhub3N{iIY9e(;yubaHMKk!x8
zqbqhmX&c(Uj5l8_4e^e=L3)|tsx)vTY}K<o_a-Tao$%Ukl9K!3LsoI?Oh=qI_VhX8
zyzyqABhDMIXh$6D8!w3c7A~V~_@3!BwyqCwWg5nRD!u^2f;bgr_i+0(DL)1KrBoN*
z5e*Srlv9$DA@0V+%QM%efcVkPqr82Zw92^^iyUssLwu=90sdnFENe>fh{E8RWtLRa
zu2jXHhSQD*{++4Hsx};Uc2?MJe;OUI)G-tMHhlYUk3Q8l(X$Kw6(&#YF86ZJyA}4_
zKV6LNpzMl!IKyLkIM-u&gxTUxDS=#UCqj0n*y52+der2K48g@e>u>}t%b1P5>j=d1
zkm*vX^BbYsVv}~(*vpY+E~GH4gEjc!lx0~+K=FGfdhn)L*%T5O?%(*PN62Vtbh$er
z7Yn(J3*@r?jofU=DUi#(KyEDL6e!f{me_;3?F_SLy%ZW?u1!7`S`vJIYp92xm@bVq
z|AgUCz_Aa_3;!0Q1cT}9bnY82jk3<xehcpmzJ|M#G_0U!r+PQekcKelS2(8OJ2QL}
zi^jx(QpAnKd`ogQ<HJGYw@nBWhX!2F3b~YiYYWAV%-KXC2lqp<#!(!uNU<|NJ5<xL
z$!<z5HsMwHQ$HZ=ojy7)vqMKJ-rYlqA+Y0*VyV|N5x>@eSv%X0m(P^O51QeQnT56F
z_rNP~@o}KkkA=tT`TxG2Z?2F^!s~w3UMT<m2oJGK>2dSueO|8~Tq}kPG%Vqh>{u_#
z_2@Tj&fx19>PQjpU1tsSID?*pybTi9T}nSM73;P50^1pU^+gl|tIY4?uqw2O>p$^3
zB7{GO)uI^TSBTN=Ut-UNKO1Jmhqz5f+<2Zl3(HqCCW2ev$G<981cz9^(s}DFNj8fW
z!Pw)!DvpWT9zUH25f>*+2eLl%BWjJ+@YQ*GQC^=TmWy<A$vW#7cKxVQU5RA^--cnC
za3P9y=$qr$F&nWt-c>23N>BKCccqku*BS$7OOH#l0=#9mG)kJ)<J~_SYft}_Uj6L!
zii?Nbjynnqx8IIYb(^T3GuSknufJWIIO0VeUwKh~XAr6VP|UTVFerXRC*ChYbTSW_
zi))OFc-34<#kI|uxybf6uTmw&^ka&*V7@fPDt>pH+TyKyKsq|e3@e-3?p^$tRFlk3
z@?+0P;&o8Lvr;Br8q9eX%T_es`m9uhJL@ygLRA7+HcQKfRr*~UaOaQTk1f-Fn$c1x
znyC}B#u<FNmHReJ^P(%e44M8y#)zxuw&x^uXt@!keNSUV-Nw70lWvKw?EW`#lkpN>
znm)AZ-$Z5ej_0MnOHZ45RjcI1+f$`YntLvT7|~{W1}*q1uT4_J5Bl+ugfqD6HD2(7
z6f`eF&neysTci)ALHD3Bdg%wF+;+PZi#C01K04Coov=+BAHtsU*1jw~7S3wDA#Y00
z_G5FrZEs@%W=Sje?3VD?4}T%}GvhDRyJvUU#9Ah=erOuM!zK@A7Wf8-m_kq{?O(8~
zjIUlL$8on!p2){vE)Qh65Q&H}SuPN<@wUt5x#$l#(+62Eh^gYPD-h!nX)ZHGT@ceK
z@_c%tJeVK7LY^@w`hutq5q0k*c@TeTqI~P1xC^3sMbzXgk!s~6q)Iy<Rh}WD;;uqe
z*_HAw{ZdU9zQ88mCbpEpu5!Ftx=Ic@HTj_5lO;UCu4%I7`aKg2)@l{>Khb8eqQ^h6
z%HUjss|>aotcQ0^D>hiGDfE}>?CH|nuB)e&8v*(^JYD53J%R)`)ER8ZZLk}xyZ#LV
zMSW^{d$C;P?9tGFR9ENkPSm-3s^Qk^?zg&H|F=f?w`+{>cHR9h)^Hc=Zm<5SkiXYR
z*Q>Xe|9fp<1pVI|^}OW!&3b}k!Z8K?$BYb)8R5U#_3(cTG+f1SCve|nImS6b#~<bx
zu955qpTYZe_qb8M<A(h4DkFTA;TrWgPVy)9@SZ5c9c#EN3^$;=&YoV~^P^(8M#X+K
zGWfC12yZdm4#Vx%-JfK`RSehY@So}oHag}fqoYn3@+Wk8r~gEOE_lL7c*0?Dqv0Ag
zJJDruukM~SdivxfgBKX?8pAa*{?%ysUjlmgFCB)fwcOO8{}+!Q(7j)Ge<lH=tGhSq
z;lCP9__ILt^v}Z$*C_bU_#kGAoP1rI9(?MU?w-yt+&PA8)bCp(`L{Mb{5PZgzqxh(
z-6;QWidUX0hsnmw-8c7;7Ed#G-yFZrcLp?fUzM)E>&|XNPB{3eZn3WKT)M@Z_4tK0
zBVNz9Yhkg$i;ehFot<}ijDT`I;I6L>w(IUR;UJ@0o93R&Xvqql7wR3kuV#<Iy4=1c
zq{qm3$tok>$aslgV`tYwBjY7TO%~Q_5&M?(>Itd~4A)3lV8~V5^>8ZSgNX*qn!E48
zES(*>IzM3OTWHgHX^(L6GMSp@fq!b6r5iQDE{9%#eGlp*rOTn0eBUFw;w~z{BWn!#
zF3sJy!YKGc#o#JEeqpJ>hu}J~=uwGQbQl8dhQL;XYju8jhH&X$aNi0&yvxxo!mui9
zQNewy3_XSw*te?dKgVPIA%P*VSZk8tKGmqn-8L=ZzIuc2qIid{u(Vi@SEuTHSHR#5
zgZ&1F80^!zA)s?<9qKO%&|viG|5k(l+XDV|f|0@hT0p&|`_%tjLZg7ZtxPV8tkU(~
zL#~6%<?^sm+Y}Kl{#oXmVsxMAk#lk+@8YG9m$oVRIguO_N5SN}MbcnbOc%G5%hA%d
z0-ifZzA*%fJlrx(j+xv>x^=-x#kzY>hwd)U(A~mDBRrtHH}&Z5r4}Q+mph;?&cG!`
zvhk&Qw9CdlBHAX9{sp^6lXy9P=_JQ+?=(50|Hy735bV0YYTYeJl1t)x=x~?rF2U<w
z5v`R=1c`sau3?6|q;2&>QHjAWeNoT?wfICs`I27lMsmD5X}LvCW(BJs%HTb>$Pv8x
z7J1O>KPPg>OnI<WV;AA}>2ieFm}PL=Y;2mwO_xV;|8yC@8>Cb$K(SISwul+LZ3d#T
z&q9(JNNf|nTst(@Y8u_Ql15F?LxQ~NR{0{4bp*rKE`zs-LezE%Z$R_*Xp*87FU>?L
zN-N}|aHFa3MJ5XORUmDtkSeW2+Iy>n7dc0S*NR36cHLXYi|sOg2q_{wh+t?bh%6G)
zTBep+Q2)GLj^+zy$x*!Y9ub3#qXegkEwJW`5^Zo5zj>A%z1lqxM=3O3{VaK?0OTEk
zvzMHLW0Z{F_lc4P5XS0wPo*3^;PqqFBMN_^QqB<#8^MoPil&d^4pF~hv*lFonJrg@
z*PSc4JV$;+x-THgE3#uK6nbqAk~(M0DXZQ1VpO!!{jnn4ej6k*gs-VF(#-$oHo3pv
z4}K9*Dk9o$my39e(cz+RrTc5og_qopu2AMe`AXpv+2|dv_2d11A&7n)%x|A7k6Kp+
zxu&_0(;DTYxoEvLRdSj*5)9>ggfF5BzK}c6f{mgDCkP+9EJGy4=Uk0<$j)$wUe%>8
zuFMnd#@%;7(dc<-ic+V1v$WJLTGBEfDO!ZjHeW8}$LGn{@qj3RbH1FiZUKT?;o%;L
z@x#LB7rw#;Mr1WSS|qaz9qt8kE_dAtm8iRdpQ9N*p@`LqqK;iig<c?h9#M0<17g}x
zI3&V+A`GKxF#pR!j7zO89|(v*tv$w7%c<*-f>&1~?_7}<J%bN9MOcIbVQ%3o6h5B=
z`J#ywJ%I?)5@=P|vel~Ib{7&<++`%-_3&v4wu>Og-H1%S8$OTll?b0-_?+;qTLe$5
z2*RL83khG~F0@+2BH27J*yVKVz3@lN>WA<Zq)1kX7_6Dj79LoH(b@!D{qS%@d94mY
zf23beN-FYuphD!wx<y-v{8+E>i8&^@(0-Vw_aFoBVhkOZn0P-dM*H~?rVmlAC0#HI
zOXQW2Erxc(9ap6<>aQ1zMZJ{!XUk?js74;c_uiwG*X82HHNrT!b%FL88J9h}5*NPT
zsm02NcPDVdjXJwpczLZn4BtlP%)zMYsKxxFsCJ%vFA{X~QaBfc`t;Doe;XS3m(ax3
ze;UYh??Yo5im9<&9lZ2DEdvJ}igjr_2~lS5x)%#}H*ZHQWslQpK%_ad?tZyq^+Ol&
z+@)wabX*4a-A_xf7FHm_Tn`|&Sol1U<AqCU!j7CK4_^IenU8${gV{x*yj2KjqGb=j
zCsgwK2joE*C71cMcHFnEl)LUnxw^!7#$eCo?GMVs`ajgGMRzST@xX&}VYtOWtb-5A
z=ya!ChHpSyoN{uUOOINt{l`keFa8C)mTBb_t2p1}6s1e#HW!NT5Tz3fkF-oHXd41~
zj0?rn*6?L5B3^k2f!jr(|6%!3zV;#cPyLr^EeXY#m%}ld7t6eKnOI&Pl0$*ZV8NHk
z$tg?q>=(<}c%*1$x!|FtYFj3!(=dXPz%o=ngZCnIP%$NTJz^Qm2QHIi`K0A?TDXhC
zxnnu(eEKq6S*%$uk7sDJ<<NF6e%%VWj4ax68@I2Jb0Q6;%gc2oSD`Cob@R5|E-Krz
z0+p>_p-)3?Nq&0;CXxMNSUr!PrW~^l%cWT2m$!*DXqK9AL*a6KbpD8(&a}OeHjP5~
zo=4>6eC2W|p1D$vm0p~{Ygfw2ddMat#J5r&#uq*;hw`sh%Bj-pC-qqdlXsbucG4?i
z^#c4S_ol{wig*1J|1atPgI;IXe~9@16plmC3Wr`3+JWz?HCWc%eY=c>h<4z+jOBoi
z0B>n$lVBGe0p2Rm)8FOS)4vsEuutb*Jv!qEpdEtt?b@RUPyzPl8f+BcEtk#<g@Yr5
zf4#wq&b#Iqtf$+zYm(0YHwDxVLI1Uc$Z*#lyS;L@P%8eNKW%-v*<hofUpjQAf_5A6
zbPPP=H{y+g9toIu<YV&N7l~lxbH=B+=MLIu+I3!N)7(zejCHGIuW@hCIY`$+(w&1c
z`brNbF4j{I4CwJjGk3<i4Ax8E8E5pP(QKV@iXLzDYiH~kot;L<cE)xY0zS>{jNPiU
z*0H8wXRKRi$}rC8C*yG18C$EzFD%v5D@KK=y2&T?c;nRFnc>pdNvGY;kwyVX;Yd<w
z(*!$5=r!x23@)0gg?AYj7o8(k7_6u39I2=4dZb)WKXSMp|45a=nm#`EFY*xDr9XmS
zFZ~6(^hWLyj>p^f7rCil^sG5^?p8)DSWv4hy5qjvG+%#{$-A~e9+299$sKnuzN0$3
za>0E5_*QwzN@bgjzi|BZ$KL?_4aDCd{0;Uh+adywu6F0XWV58>MLzzQ5=%0EX;D1c
z;vL8wFWqc;b7aWEi=qR3_fpGn_(lf!aora)!W;8|Wlet({gt<MrDX!sB)!M$EGHL*
zOtSsB$b0mRg@r|y%wDXFDNx4bUi?Sp;`~c;3%tMdi?j|E(qDTc;v$vn8TKXfBS%Z#
z4sM?xiQmn5-SZ=_S}VQmTiazVi_FlP=ZhW1ntP-@)@x(dP)WM8hZpy=*0WM?S3heG
zem&xq&DJKya=k5~)(4qX)$YxZtuNjl^7@aRFM1Czw9b$;FE6~ydeSTcvGZJLjrLx9
zxAn6y5%mJkxzD=z!l*ayv);<IC~xvo>&GK_@dj%&58Yt3@P!+!tC`F_RhDSJaEC?a
z!=AL>q3_L5Q1Oz&6g*Pd#seFzMf~uS*4RjG0RD4aGEd)VwMBY_JpP?e=YPtY&s#TI
zWAX0D_LMbR(sfnfIB)?b^O~ouh0+|n#5ZJ+u7cTl?k4MYr0m&bO~&sYEzQ<^-HG89
z&DLHRxt;}<7+&3CZA-C;jDtsB4(RS3`glEZhdxe^+yU!~jlz+t_SFwff_sObw>@o5
z4{tQYt9amPtN3wc#xvHD*4w&7F#d&zNASoSK5l;orN0ATl|5s{|EeW|@z039JD0aT
zV~yc8&sYaR_v<#^^^7$+(xD4cbIdbw`zkBGuYDGAo_~tNHtJdHIB8xt?|sIK(;Q^5
zr?Nc@fA6!_82q}=vKbCGj+?Dz*r5oAr;Eqv=d803?S9VsckBFiLv26d29IEL*`7yz
z7PjfU&~3PldTZQ?J^iGC!6U}q+L1*z-t)Y5SpS87L(aovTdg-s3wyYu)#}6zLr<%9
zC1$ekZB)0u&Dw}fPsR(@VUh!{65Yb>;r@P+G2HorwMKIE@}5@!5nHTflB0`PZLubY
zYYRm1$X&7Ay#+P0aK~gcif@bcAYLUkzG(eHx--CC+pWpm`H&@yKfl#_F@yqJt>TyD
z@;2*8X>l9R-DVxlL$_HY_?_FV@nYvS83~Sai-jNFgkijWn^nQM4s5fwBGUbml_Rll
zaO5!lm!*-he5Tj>3mVb#h8Xtk)?#Uip9e-pM)MEat@mQwIbN}j<O^T6+N}SljBAZ;
z;>yCw(C#LHQu~kuqXpumQVCTzL{-&9{ZU+XAJOhAN&gh9(jv165h0O8NbLr(LZ)pR
z2huhXtPcVf3{qRlD^@FT>I7n5#Y^cj0SXq6Fg1CYS7HbR1EJpU%pD$^ogcn4-#z!-
zd(ZRE9nUl*MG`nHo30CR<U2Sjo-BoFK39e*dz$iXBg3(9L2X@aV}@7g)A8l&g%95C
zW$(XiGx_^4%@zTMX)(HXcY?`!lgY$~0o9-$%fC)j@3t-s812?zz%vh#o$Izj6un)v
zU0cy1Txar^`)L|1B(fiJsZsh!?}t8G)p`2?oV&R6Re1XRZt`j?lWcTDK}!vPgqpa0
zp)G$x9Fh)1pjZ5J`5?Wi;jYDVkmTLBz(F_z{&*Rt8T|YqI<D?uFicAfwJA0Z!68tl
z4q*fh>^w{*+K0I9IZX34tiOYY5yr3>Jpu{fgDgkLuYHta=TR!5rH{SKVun$8j?xf)
zoDw<Ucn1F-+!|9dr+JvB;}|YKiC~AoHe*8k6AbrxC~eO%vO~*}V+a;_^ca;1`TtF|
zFV{SF2a{_$zQ!Xb>3DP0DlNBYMo^I8(2Scc2@Y$DIqNvwpgCdDMY!}h1Y+Zc<MgH0
zoWgdUEpI}6bq1IJK(h*!0mN79^~)C3FIcvyNt)sC%1=7JI?CQ3AYO?*xw+|hi&Nn(
zQlP#C_s-J&8pJ5+zAeh`6NpVNs~R7lIzd$sX6yuv#>=gLlg?Z4oc~7}&{~3z0bj`Z
zAIizpK81grg!DbEpG3Ex#nh#bgE~UY=N;@hO~2*59x8&hI8V`Z?m9);{MQ~T<kx#>
z8h4+D)$Epf++6gaYpC~>8FtVz%C6HeQly>JGz?RzK7;gC%*Gk|KwFzq-e30<HHg!m
z0mtmK^e*C-=Pc9$k30)@zEJ5o8knH@V}1i}TXunFX&WN!xq!MX4ql+Y+ubsE9F{3;
zL@v05K~-KP2W>Q?)A-5)o^#Irf>2E6Z!S`v-DWZv$D)Ae{u!?H%S9?2AD>kp?`oT1
zR_75IHeaGbOd@g#Lfe2@4`4FWdMR(>2FrXl#-y@{-|MB^C*URr2aD_l%)M0b6l~x~
zFTMWsTK8W@8Y%tX5u%gw%ZRp{b#6s<X1OVys-3nMxWu5zIj?>Mdatxe$G3P;iF~C<
z-asHUNnU%FB#F0UL8I8rJ!!|Z4NM6eazE1_v_RBsJA46cA+$*a^$VYAymg%PHe=KM
zL&|?L1I*p{nX1O?X*?OE;fYhFwl&7VxY)4&%9Bwqz5=yx!yvC9M5sYN*5D-0?4$h5
zdUJ%P!rtsdCd}`H3aT!_LIZusKa2aw$=z!q9vMI1LK6-N_IVdnT+)vgzv`D1ao(2A
zwYbdO#_dIRCx`lJs<sWb+K-++O0%;EC{NpJ$c4Oru5>tnEYcw7PL2&A=<X96m^z3q
z?xBk3$yu5F@F48?gF)1u8^mG<X><^5YNROQKP4zv+Y)3?0+zG|IZ?oHg7QG8CqU;@
z(92gr7tq;t6&Q8}ZrYF|uVMo8`YDHZU!^xPD@=*}`Wohf_2xCG@#~lgu|SA{*C5^+
z6Pa}#;@uJC>g%A|kutH+bx^t3xDG0xiTv>fsCMdHe*=)igwEXnk;i}YsiJOzW)~DC
zP`MNZeD5ZRU`az@zB{V0rXgT94i16Lt)QvHfCB6q2HBp3!oCu$l=WedH7KYoNprMz
zL;&%-l}Q+BH3yQA!g?u+_(2kq`PyLHEnwL25^TvW2(X^Lw;<FV9SS=ySOzDBtb&sx
zG@IYK4MW0H>f30t`Zn0?jLAhAgk@q6Zleh{A4kAuS5RR~MnJbK#oiIn;c1VwJwF0E
zC~5=|b+^u?cTnY!0&MS~%EJMHwkznt9dOu_WZPX}*ozUeC3ivQ#Y?s5sU3+@)T`eW
zJ5Ey0r1%$E%CmzG|0v=sBJ(H+_eR-RYnzU&uooXV7)4ab;J_%-Kn3fgSV_P-k;%F8
z9<^%w3^wkeKc5tMT9cw2EfnGE6wR@F6!VS>tHh!Ru(eke?{IT8g^BG;aMu0*U!Csr
z`cGl$(4h-22iM;>SE9cA7zVZorSNb<idJ?!pfdGjEFBN8SDl5uR_RlD?mKMS{qB`?
zyt7zvIhHP3TDNSuI!C*xoS`(+H_BH3LwadqIAOua#t#uoGT8f&%H&_#LfmOsWkPk*
z>1tb5&8{)5IGt8al5570R;$%z7d~S)M%V)#qbwQ!7*>{{6c^TIP2m?G(F(0A!GT9u
z<8&F^@kr9C|2<soufa=<SOaHp>KBCY?Ox&bBrG2YaB13HLE+PD`Pu=4eQ8MUKuqPu
z?lcy{T^$_!2j%~>WJ<Bt9cgq=X>{i{y7L;{`Hk+Wd)<y*bK6?0bJP0flrT=~TP9nj
zE97uF2A|8WP}h6@(za^db7}qCBcZ_W9c5Xw%T2te*kzT9F4ko2IW(;k9N&vdx2-DY
V@=C{$)}-@W?`Qpn->z~z`Y*YX)6)O|

diff --git a/roms/openbios b/roms/openbios
index 7e5b89e429..7f28286f5c 160000
--- a/roms/openbios
+++ b/roms/openbios
@@ -1 +1 @@
-Subproject commit 7e5b89e4295063d8eba55b9c8ce8bc681c2d129a
+Subproject commit 7f28286f5cb1ca682e3ba0a8706d8884f12bc49e
-- 
2.17.1

[PATCH 71/77] migration/block-dirty-bitmap: fix dirty_bitmap_mig_before_vm_start

[Michael Roth]

From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Using the _locked version of bdrv_enable_dirty_bitmap to bypass locking
is wrong as we do not already own the mutex.  Moreover, the adjacent
call to bdrv_dirty_bitmap_enable_successor grabs the mutex.

Fixes: 58f72b965e9e1q
Cc: qemu-stable@nongnu.org # v3.0
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200727194236.19551-8-vsementsov@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit e6ce5e92248be5547daaee3eb6cd226e9820cf7b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 migration/block-dirty-bitmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c
index 7eafface61..16f1793ee3 100644
--- a/migration/block-dirty-bitmap.c
+++ b/migration/block-dirty-bitmap.c
@@ -498,7 +498,7 @@ void dirty_bitmap_mig_before_vm_start(void)
         DirtyBitmapLoadBitmapState *b = item->data;
 
         if (b->migrated) {
-            bdrv_enable_dirty_bitmap_locked(b->bitmap);
+            bdrv_enable_dirty_bitmap(b->bitmap);
         } else {
             bdrv_dirty_bitmap_enable_successor(b->bitmap);
         }
-- 
2.17.1

[PATCH 72/77] block: Fix bdrv_aligned_p*v() for qiov_offset != 0

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

Since these functions take a @qiov_offset, they must always take it into
account when working with @qiov.  There are a couple of places where
they do not, but they should.

Fixes: 65cd4424b9df03bb5195351c33e04cbbecc0705c
       ("block/io: bdrv_aligned_preadv: use and support qiov_offset")
Fixes: 28c4da28695bdbe04b336b2c9c463876cc3aaa6d
       ("block/io: bdrv_aligned_pwritev: use and support qiov_offset")
Reported-by: Claudio Fontana <cfontana@suse.de>
Reported-by: Bruce Rogers <brogers@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200728120806.265916-2-mreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Tested-by: Claudio Fontana <cfontana@suse.de>
Tested-by: Bruce Rogers <brogers@suse.com>
(cherry picked from commit 134b7dec6ec2d90616d7986afb3b3b7ca7a4c383)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/io.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/block/io.c b/block/io.c
index aba67f66b9..496c813dd8 100644
--- a/block/io.c
+++ b/block/io.c
@@ -1501,12 +1501,13 @@ static int coroutine_fn bdrv_aligned_preadv(BdrvChild *child,
             assert(num);
 
             ret = bdrv_driver_preadv(bs, offset + bytes - bytes_remaining,
-                                     num, qiov, bytes - bytes_remaining, 0);
+                                     num, qiov,
+                                     qiov_offset + bytes - bytes_remaining, 0);
             max_bytes -= num;
         } else {
             num = bytes_remaining;
-            ret = qemu_iovec_memset(qiov, bytes - bytes_remaining, 0,
-                                    bytes_remaining);
+            ret = qemu_iovec_memset(qiov, qiov_offset + bytes - bytes_remaining,
+                                    0, bytes_remaining);
         }
         if (ret < 0) {
             goto out;
@@ -2009,7 +2010,8 @@ static int coroutine_fn bdrv_aligned_pwritev(BdrvChild *child,
             }
 
             ret = bdrv_driver_pwritev(bs, offset + bytes - bytes_remaining,
-                                      num, qiov, bytes - bytes_remaining,
+                                      num, qiov,
+                                      qiov_offset + bytes - bytes_remaining,
                                       local_flags);
             if (ret < 0) {
                 break;
-- 
2.17.1

[PATCH 73/77] iotests/028: Add test for cross-base-EOF reads

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200728120806.265916-3-mreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Tested-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Tested-by: Claudio Fontana <cfontana@suse.de>
(cherry picked from commit ae159450e161b3e1e2c5b815d19632abbbbcd1a1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/028     | 19 +++++++++++++++++++
 tests/qemu-iotests/028.out | 11 +++++++++++
 2 files changed, 30 insertions(+)

diff --git a/tests/qemu-iotests/028 b/tests/qemu-iotests/028
index 797dae5350..1e52986b74 100755
--- a/tests/qemu-iotests/028
+++ b/tests/qemu-iotests/028
@@ -142,6 +142,25 @@ TEST_IMG="${TEST_IMG}.copy" io_zero readv $(( offset + 32 * 1024 )) 512 1024 32
 
 _check_test_img
 
+echo
+echo '=== Reading across backing EOF in one operation ==='
+echo
+
+# Use a cluster boundary as the base end here
+base_size=$((3 * 1024 * 1024 * 1024))
+
+TEST_IMG="$TEST_IMG.base" _make_test_img $base_size
+_make_test_img -b "$TEST_IMG.base" -F $IMGFMT $image_size
+
+# Write 16 times 42 at the end of the base image
+$QEMU_IO -c "write -P 42 $((base_size - 16)) 16" "$TEST_IMG.base" \
+    | _filter_qemu_io
+
+# Read 32 bytes across the base EOF from the top;
+# should be 16 times 0x2a, then 16 times 0x00
+$QEMU_IO -c "read -v $((base_size - 16)) 32" "$TEST_IMG" \
+    | _filter_qemu_io
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/028.out b/tests/qemu-iotests/028.out
index 37aed84436..51ae06d38f 100644
--- a/tests/qemu-iotests/028.out
+++ b/tests/qemu-iotests/028.out
@@ -730,4 +730,15 @@ read 512/512 bytes at offset 3221257728
 read 512/512 bytes at offset 3221258752
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 No errors were found on the image.
+
+=== Reading across backing EOF in one operation ===
+
+Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=3221225472
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294968832 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
+wrote 16/16 bytes at offset 3221225456
+16 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+bffffff0:  2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a  ................
+c0000000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+read 32/32 bytes at offset 3221225456
+32 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 *** done
-- 
2.17.1

[PATCH 74/77] nbd: Fix large trim/zero requests

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Although qemu as NBD client limits requests to <2G, the NBD protocol
allows clients to send requests almost all the way up to 4G.  But
because our block layer is not yet 64-bit clean, we accidentally wrap
such requests into a negative size, and fail with EIO instead of
performing the intended operation.

The bug is visible in modern systems with something as simple as:

$ qemu-img create -f qcow2 /tmp/image.img 5G
$ sudo qemu-nbd --connect=/dev/nbd0 /tmp/image.img
$ sudo blkdiscard /dev/nbd0

or with user-space only:

$ truncate --size=3G file
$ qemu-nbd -f raw file
$ nbdsh -u nbd://localhost:10809 -c 'h.trim(3*1024*1024*1024,0)'

Although both blk_co_pdiscard and blk_pwrite_zeroes currently return 0
on success, this is also a good time to fix our code to a more robust
paradigm that treats all non-negative values as success.

Alas, our iotests do not currently make it easy to add external
dependencies on blkdiscard or nbdsh, so we have to rely on manual
testing for now.

This patch can be reverted when we later improve the overall block
layer to be 64-bit clean, but for now, a minimal fix was deemed less
risky prior to release.

CC: qemu-stable@nongnu.org
Fixes: 1f4d6d18ed
Fixes: 1c6c4bb7f0
Fixes: https://github.com/systemd/systemd/issues/16242
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200722212231.535072-1-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
[eblake: rework success tests to use >=0]
(cherry picked from commit 890cbccb089db9e646cc1baea3be9dc060e3917b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd/server.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 20754e9ebc..0918173c1b 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -2365,8 +2365,17 @@ static coroutine_fn int nbd_handle_request(NBDClient *client,
         if (request->flags & NBD_CMD_FLAG_FAST_ZERO) {
             flags |= BDRV_REQ_NO_FALLBACK;
         }
-        ret = blk_pwrite_zeroes(exp->blk, request->from + exp->dev_offset,
-                                request->len, flags);
+        ret = 0;
+        /* FIXME simplify this when blk_pwrite_zeroes switches to 64-bit */
+        while (ret >= 0 && request->len) {
+            int align = client->check_align ?: 1;
+            int len = MIN(request->len, QEMU_ALIGN_DOWN(BDRV_REQUEST_MAX_BYTES,
+                                                        align));
+            ret = blk_pwrite_zeroes(exp->blk, request->from + exp->dev_offset,
+                                    len, flags);
+            request->len -= len;
+            request->from += len;
+        }
         return nbd_send_generic_reply(client, request->handle, ret,
                                       "writing to file failed", errp);
 
@@ -2380,9 +2389,18 @@ static coroutine_fn int nbd_handle_request(NBDClient *client,
                                       "flush failed", errp);
 
     case NBD_CMD_TRIM:
-        ret = blk_co_pdiscard(exp->blk, request->from + exp->dev_offset,
-                              request->len);
-        if (ret == 0 && request->flags & NBD_CMD_FLAG_FUA) {
+        ret = 0;
+        /* FIXME simplify this when blk_co_pdiscard switches to 64-bit */
+        while (ret >= 0 && request->len) {
+            int align = client->check_align ?: 1;
+            int len = MIN(request->len, QEMU_ALIGN_DOWN(BDRV_REQUEST_MAX_BYTES,
+                                                        align));
+            ret = blk_co_pdiscard(exp->blk, request->from + exp->dev_offset,
+                                  len);
+            request->len -= len;
+            request->from += len;
+        }
+        if (ret >= 0 && request->flags & NBD_CMD_FLAG_FUA) {
             ret = blk_co_flush(exp->blk);
         }
         return nbd_send_generic_reply(client, request->handle, ret,
-- 
2.17.1

[PATCH 75/77] virtio-net: align RSC fields with updated virtio-net header

[Michael Roth]

From: Yuri Benditovich <yuri.benditovich@daynix.com>

Removal of duplicated RSC definitions. Changing names of the
fields to ones defined in the Linux header.

Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit dd3d85e89123c907be7628957457af3d03e3b85b)
 Conflicts:
	hw/net/virtio-net.c
*drop context dep. on 590790297c0
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 27 ++++-----------------------
 1 file changed, 4 insertions(+), 23 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index e7e2c2acdb..6cb1448310 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -77,25 +77,6 @@
    tso/gso/gro 'off'. */
 #define VIRTIO_NET_RSC_DEFAULT_INTERVAL 300000
 
-/* temporary until standard header include it */
-#if !defined(VIRTIO_NET_HDR_F_RSC_INFO)
-
-#define VIRTIO_NET_HDR_F_RSC_INFO  4 /* rsc_ext data in csum_ fields */
-#define VIRTIO_NET_F_RSC_EXT       61
-
-static inline __virtio16 *virtio_net_rsc_ext_num_packets(
-    struct virtio_net_hdr *hdr)
-{
-    return &hdr->csum_start;
-}
-
-static inline __virtio16 *virtio_net_rsc_ext_num_dupacks(
-    struct virtio_net_hdr *hdr)
-{
-    return &hdr->csum_offset;
-}
-
-#endif
 
 static VirtIOFeature feature_sizes[] = {
     {.flags = 1ULL << VIRTIO_NET_F_MAC,
@@ -1539,15 +1520,15 @@ static size_t virtio_net_rsc_drain_seg(VirtioNetRscChain *chain,
                                        VirtioNetRscSeg *seg)
 {
     int ret;
-    struct virtio_net_hdr *h;
+    struct virtio_net_hdr_v1 *h;
 
-    h = (struct virtio_net_hdr *)seg->buf;
+    h = (struct virtio_net_hdr_v1 *)seg->buf;
     h->flags = 0;
     h->gso_type = VIRTIO_NET_HDR_GSO_NONE;
 
     if (seg->is_coalesced) {
-        *virtio_net_rsc_ext_num_packets(h) = seg->packets;
-        *virtio_net_rsc_ext_num_dupacks(h) = seg->dup_ack;
+        h->rsc.segments = seg->packets;
+        h->rsc.dup_acks = seg->dup_ack;
         h->flags = VIRTIO_NET_HDR_F_RSC_INFO;
         if (chain->proto == ETH_P_IP) {
             h->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
-- 
2.17.1

[PATCH 76/77] hw/arm/sbsa-ref: fix typo breaking PCIe IRQs

[Michael Roth]

From: Graeme Gregory <graeme@nuviainc.com>

Fixing a typo in a previous patch that translated an "i" to a 1
and therefore breaking the allocation of PCIe interrupts. This was
discovered when virtio-net-pci devices ceased to function correctly.

Cc: qemu-stable@nongnu.org
Fixes: 48ba18e6d3f3 ("hw/arm/sbsa-ref: Simplify by moving the gic in the machine state")
Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200821083853.356490-1-graeme@nuviainc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 870f0051b4ada9a361f7454f833432ae8c06c095)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/sbsa-ref.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index 8409ba853d..0b32084dc0 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -555,7 +555,7 @@ static void create_pcie(SBSAMachineState *sms)
 
     for (i = 0; i < GPEX_NUM_IRQS; i++) {
         sysbus_connect_irq(SYS_BUS_DEVICE(dev), i,
-                           qdev_get_gpio_in(sms->gic, irq + 1));
+                           qdev_get_gpio_in(sms->gic, irq + i));
         gpex_set_irq_num(GPEX_HOST(dev), i, irq + i);
     }
 
-- 
2.17.1

[PATCH 77/77] usb: fix setup_len init (CVE-2020-14364)

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
(cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/core.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/hw/usb/core.c b/hw/usb/core.c
index 5abd128b6b..5234dcc73f 100644
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
 static void do_token_setup(USBDevice *s, USBPacket *p)
 {
     int request, value, index;
+    unsigned int setup_len;
 
     if (p->iov.size != 8) {
         p->status = USB_RET_STALL;
@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
     usb_packet_copy(p, s->setup_buf, p->iov.size);
     s->setup_index = 0;
     p->actual_length = 0;
-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
-    if (s->setup_len > sizeof(s->data_buf)) {
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    if (setup_len > sizeof(s->data_buf)) {
         fprintf(stderr,
                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-                s->setup_len, sizeof(s->data_buf));
+                setup_len, sizeof(s->data_buf));
         p->status = USB_RET_STALL;
         return;
     }
+    s->setup_len = setup_len;
 
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
 static void do_parameter(USBDevice *s, USBPacket *p)
 {
     int i, request, value, index;
+    unsigned int setup_len;
 
     for (i = 0; i < 8; i++) {
         s->setup_buf[i] = p->parameter >> (i*8);
     }
 
     s->setup_state = SETUP_STATE_PARAM;
-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
     s->setup_index = 0;
 
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
 
-    if (s->setup_len > sizeof(s->data_buf)) {
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    if (setup_len > sizeof(s->data_buf)) {
         fprintf(stderr,
                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-                s->setup_len, sizeof(s->data_buf));
+                setup_len, sizeof(s->data_buf));
         p->status = USB_RET_STALL;
         return;
     }
+    s->setup_len = setup_len;
 
     if (p->pid == USB_TOKEN_OUT) {
         usb_packet_copy(p, s->data_buf, s->setup_len);
-- 
2.17.1

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Philippe Mathieu-Daudé]

On 9/3/20 10:58 PM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v5.0.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-5.0-staging
> 
> Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
> 
>   https://wiki.qemu.org/Planning/5.0
> 
> Please respond here or CC qemu-stable@nongnu.org on any additional patches
> you think should be included in the release.

Candidates:

b638627c723 ("hw/sd: Fix incorrect populated function switch status data
structure")
6d2d4069c47 ("hw/sd: Correct the maximum size of a Standard Capacity SD
Memory Card")

And maybe "memory: assert and define MemoryRegionOps callbacks"
https://www.mail-archive.com/qemu-devel@nongnu.org/msg729048.html

> 
> Thanks!

Re: [PATCH 15/77] xen/9pfs: yield when there isn't enough room on the ring

[Christian Schoenebeck]

Additional candidate:

353b5a91cc 9p: null terminate fs driver options list

Best regards,
Christian Schoenebeck

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Thomas Huth]

On 03/09/2020 22.58, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v5.0.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-5.0-staging
> 
> Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
> 
>   https://wiki.qemu.org/Planning/5.0
> 
> Please respond here or CC qemu-stable@nongnu.org on any additional patches
> you think should be included in the release.
> 
> Thanks!

I'd maybe add:

 37035df51eaabb8d26b71da75b88a1c6727de8fa
 nvram: Exit QEMU if NVRAM cannot contain all -prom-env data

  Thomas

Re: [PATCH 66/77] virtio: verify that legacy support is not accidentally on

[Cornelia Huck]

On Thu,  3 Sep 2020 15:59:24 -0500
Michael Roth <mdroth@linux.vnet.ibm.com> wrote:

> From: Cornelia Huck <cohuck@redhat.com>
> 
> If a virtio device does not have legacy support, make sure that
> it is actually off, and bail out if not.
> 
> For virtio-pci, this means that any device without legacy support
> that has been specified to modern-only (or that has been forced
> to it) will work.
> 
> For virtio-ccw, this duplicates the check that is currently done
> prior to realization for any device that explicitly specified no
> support for legacy.
> 
> This catches devices that have not been fenced properly.
> 
> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
> Message-Id: <20200707105446.677966-3-cohuck@redhat.com>
> Cc: qemu-stable@nongnu.org
> Acked-by: Halil Pasic <pasic@linux.ibm.com>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> (cherry picked from commit 9b3a35ec8236933ab958a4c3ad883163f1ca66e7)
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> ---
>  hw/s390x/virtio-ccw.c  | 6 ++++++
>  hw/virtio/virtio-pci.c | 4 ++++
>  2 files changed, 10 insertions(+)

I don't think we want to backport this (and the previous patch) to
stable. (Actually, my original patch didn't have the stable tag.)

This has flushed out several devices (mem, vsock, iommu) that should be
modern only, but weren't; unfortunately, this also breaks existing
command line invocations. We *might* consider including this together
with patches that force those devices to modern only, but I see only
the patch for virtio-mem has reached master yet.

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Michael Roth]

Quoting Michael Roth (2020-09-03 15:58:18)
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v5.0.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-5.0-staging
> 
> Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
> 
>   https://wiki.qemu.org/Planning/5.0
> 
> Please respond here or CC qemu-stable@nongnu.org on any additional patches
> you think should be included in the release.

Updated staging tree with the following patches:
  virtio-ccw: fix virtio_set_ind_atomic
  nvram: Exit QEMU if NVRAM cannot contain all -prom-env data
  9p: null terminate fs driver options list

and removed as suggested:
  virtio: list legacy-capable devices
  virtio: verify that legacy support is not accidentally on

Thanks for the suggestions!

> 
> Thanks!
> 
> 
> ----------------------------------------------------------------
> Alexander Duyck (3):
>       virtio-balloon: Prevent guest from starting a report when we didn't request one
>       virtio-balloon: Add locking to prevent possible race when starting hinting
>       virtio-balloon: Replace free page hinting references to 'report' with 'hint'
> 
> Alistair Francis (1):
>       hw/riscv: Allow 64 bit access to SiFive CLINT
> 
> Allan Peramaki (1):
>       hw/audio/gus: Fix registers 32-bit access
> 
> Andrew Melnychenko (1):
>       virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.
> 
> Christian Schoenebeck (1):
>       xen-9pfs: Fix log messages of reply errors
> 
> Cornelia Huck (3):
>       linux-headers: update against Linux 5.7-rc3
>       virtio: list legacy-capable devices
>       virtio: verify that legacy support is not accidentally on
> 
> Dan Robertson (1):
>       9pfs: include linux/limits.h for XATTR_SIZE_MAX
> 
> David Hildenbrand (4):
>       virtio-balloon: fix free page hinting without an iothread
>       virtio-balloon: fix free page hinting check on unrealize
>       virtio-balloon: unref the iothread when unrealizing
>       virtio-balloon: always indicate S_DONE when migration fails
> 
> Eric Blake (4):
>       nbd/server: Avoid long error message assertions CVE-2020-10761
>       block: Call attention to truncation of long NBD exports
>       nbd: Avoid off-by-one in long export name truncation
>       nbd: Fix large trim/zero requests
> 
> Gerd Hoffmann (1):
>       usb: fix setup_len init (CVE-2020-14364)
> 
> Graeme Gregory (1):
>       hw/arm/sbsa-ref: fix typo breaking PCIe IRQs
> 
> Greg Kurz (1):
>       9p: Lock directory streams with a CoMutex
> 
> Helge Deller (2):
>       Fix tulip breakage
>       hw/display/artist: Unbreak size mismatch memory accesses
> 
> Igor Mammedov (1):
>       hostmem: don't use mbind() if host-nodes is empty
> 
> Jason Wang (1):
>       net: use peer when purging queue in qemu_flush_or_purge_queue_packets()
> 
> Kevin Wolf (1):
>       iotests/283: Use consistent size for source and target
> 
> Laurent Vivier (1):
>       xhci: fix valid.max_access_size to access address registers
> 
> Liu Yi L (1):
>       intel_iommu: Use correct shift for 256 bits qi descriptor
> 
> Marc-André Lureau (1):
>       qga: fix assert regression on guest-shutdown
> 
> Mark Cave-Ayland (1):
>       Update OpenBIOS images to 7f28286f built from submodule.
> 
> Markus Armbruster (4):
>       net/virtio: Fix failover_replug_primary() return value regression
>       error: Use error_reportf_err() where appropriate
>       usb/dev-mtp: Fix Error double free after inotify failure
>       qdev: Fix device_add DRIVER,help to print to monitor
> 
> Max Reitz (3):
>       virtiofsd: Whitelist fchmod
>       block: Fix bdrv_aligned_p*v() for qiov_offset != 0
>       iotests/028: Add test for cross-base-EOF reads
> 
> Michael S. Tsirkin (1):
>       memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
> 
> Michael Tokarev (1):
>       acpi: accept byte and word access to core ACPI registers
> 
> Michal Privoznik (2):
>       util: Introduce qemu_get_host_name()
>       qga: Use qemu_get_host_name() instead of g_get_host_name()
> 
> Niek Linnenbank (1):
>       docs/orangepi: Add instructions for resizing SD image to power of two
> 
> Omar Sandoval (1):
>       9pfs: local: ignore O_NOATIME if we don't have permissions
> 
> Paolo Bonzini (3):
>       KVM: x86: believe what KVM says about WAITPKG
>       libqos: usb-hcd-ehci: use 32-bit write for config register
>       libqos: pci-pc: use 32-bit write for EJ register
> 
> Pavel Dovgaluk (3):
>       tests/acceptance: allow console interaction with specific VMs
>       tests/acceptance: refactor boot_linux to allow code reuse
>       tests/acceptance: refactor boot_linux_console test to allow code reuse
> 
> Philippe Mathieu-Daudé (9):
>       hw/net/e1000e: Do not abort() on invalid PSRCTL register value
>       tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
>       tests/acceptance/boot_linux: Expand SD card image to power of 2
>       hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
>       hw/sd/sdcard: Simplify realize() a bit
>       hw/sd/sdcard: Do not allow invalid SD card sizes
>       hw/sd/sdcard: Update coding style to make checkpatch.pl happy
>       hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
>       libvhost-user: Report descriptor index on panic
> 
> Prasad J Pandit (2):
>       ati-vga: check mm_index before recursive call (CVE-2020-13800)
>       es1370: check total frame count against current frame
> 
> Raphael Pour (1):
>       qemu-nbd: Close inherited stderr
> 
> Richard Henderson (2):
>       target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*
>       target/hppa: Free some temps in do_sub
> 
> Sergei Trofimovich (1):
>       linux-user/strace.list: fix epoll_create{,1} -strace output
> 
> Stefan Berger (2):
>       tpm: tpm_spapr: Exit on TPM backend failures
>       tests: tpm: Skip over pcrUpdateCounter byte in result comparison
> 
> Stefan Hajnoczi (4):
>       virtiofsd: add --rlimit-nofile=NUM option
>       virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
>       aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy()
>       aio-posix: disable fdmon-io_uring when GSource is used
> 
> Stefano Stabellini (2):
>       Revert "9p: init_in_iov_from_pdu can truncate the size"
>       xen/9pfs: yield when there isn't enough room on the ring
> 
> Thomas Huth (1):
>       net: Do not include a newline in the id of -nic devices
> 
> Vladimir Sementsov-Ogievskiy (1):
>       migration/block-dirty-bitmap: fix dirty_bitmap_mig_before_vm_start
> 
> Yuri Benditovich (1):
>       virtio-net: align RSC fields with updated virtio-net header
> 
> lichun (1):
>       chardev/tcp: Fix error message double free error
> 
>  backends/hostmem.c                                 |   6 +-
>  block.c                                            |   7 +-
>  block/io.c                                         |  10 +-
>  block/nbd.c                                        |  21 ++--
>  chardev/char-socket.c                              |   8 +-
>  contrib/libvhost-user/libvhost-user.c              |   4 +-
>  docs/system/arm/orangepi.rst                       |  16 ++-
>  hw/9pfs/9p-util.h                                  |  13 ++
>  hw/9pfs/9p.c                                       |  34 ++----
>  hw/9pfs/9p.h                                       |  10 +-
>  hw/9pfs/virtio-9p-device.c                         |  11 +-
>  hw/9pfs/xen-9p-backend.c                           |  41 +++++--
>  hw/acpi/core.c                                     |   9 +-
>  hw/arm/sbsa-ref.c                                  |   2 +-
>  hw/audio/es1370.c                                  |   7 +-
>  hw/audio/gusemu_hal.c                              |   2 +-
>  hw/audio/gusemu_mixer.c                            |   2 +-
>  hw/display/artist.c                                |  12 +-
>  hw/display/ati.c                                   |  10 +-
>  hw/i386/intel_iommu.c                              |   7 +-
>  hw/i386/intel_iommu_internal.h                     |   3 +-
>  hw/net/e1000e_core.c                               |  10 +-
>  hw/net/tulip.c                                     |   6 -
>  hw/net/virtio-net.c                                |  29 +----
>  hw/riscv/sifive_clint.c                            |   2 +-
>  hw/s390x/virtio-ccw.c                              |   6 +
>  hw/sd/pxa2xx_mmci.c                                |   4 +-
>  hw/sd/sd.c                                         |  90 ++++++++++----
>  hw/tpm/tpm_spapr.c                                 |   5 +-
>  hw/usb/core.c                                      |  16 ++-
>  hw/usb/dev-mtp.c                                   |  11 +-
>  hw/usb/hcd-xhci.c                                  |   4 +-
>  hw/virtio/virtio-balloon.c                         | 133 ++++++++++++---------
>  hw/virtio/virtio-pci.c                             |  38 ++++--
>  hw/virtio/virtio.c                                 |  25 ++++
>  include/block/aio.h                                |   3 +
>  include/hw/virtio/virtio-balloon.h                 |  20 ++--
>  include/hw/virtio/virtio.h                         |   2 +
>  include/qemu/osdep.h                               |  10 ++
>  include/standard-headers/linux/ethtool.h           |  10 +-
>  include/standard-headers/linux/input-event-codes.h |   5 +-
>  include/standard-headers/linux/pci_regs.h          |   2 +
>  include/standard-headers/linux/vhost_types.h       |   8 ++
>  include/standard-headers/linux/virtio_balloon.h    |  12 +-
>  include/standard-headers/linux/virtio_ids.h        |   1 +
>  include/standard-headers/linux/virtio_net.h        | 102 +++++++++++++++-
>  linux-headers/COPYING                              |   2 +
>  linux-headers/asm-x86/kvm.h                        |   1 +
>  linux-headers/asm-x86/unistd_32.h                  |   1 +
>  linux-headers/asm-x86/unistd_64.h                  |   1 +
>  linux-headers/asm-x86/unistd_x32.h                 |   1 +
>  linux-headers/linux/kvm.h                          |  47 +++++++-
>  linux-headers/linux/mman.h                         |   5 +-
>  linux-headers/linux/userfaultfd.h                  |  40 +++++--
>  linux-headers/linux/vfio.h                         |  37 ++++++
>  linux-headers/linux/vhost.h                        |  24 ++++
>  linux-user/strace.list                             |   4 +-
>  memory.c                                           |  29 ++---
>  migration/block-dirty-bitmap.c                     |   2 +-
>  nbd/server.c                                       |  51 ++++++--
>  net/net.c                                          |   4 +-
>  pc-bios/openbios-ppc                               | Bin 696912 -> 696912 bytes
>  pc-bios/openbios-sparc32                           | Bin 382048 -> 382048 bytes
>  pc-bios/openbios-sparc64                           | Bin 1593408 -> 1593408 bytes
>  qdev-monitor.c                                     |   2 +-
>  qemu-nbd.c                                         |  13 +-
>  qga/commands.c                                     |  17 ++-
>  qga/main.c                                         |   6 +-
>  roms/openbios                                      |   2 +-
>  scsi/qemu-pr-helper.c                              |   4 +-
>  target/arm/vec_helper.c                            |   2 +
>  target/hppa/translate.c                            |   2 +
>  target/i386/cpu.c                                  |   3 +
>  target/i386/kvm.c                                  |  11 +-
>  target/i386/kvm_i386.h                             |   1 +
>  tests/acceptance/avocado_qemu/__init__.py          |  13 +-
>  tests/acceptance/boot_linux.py                     |  49 ++++----
>  tests/acceptance/boot_linux_console.py             |  55 ++++++---
>  tests/qemu-iotests/028                             |  19 +++
>  tests/qemu-iotests/028.out                         |  11 ++
>  tests/qemu-iotests/143                             |   4 +
>  tests/qemu-iotests/143.out                         |   2 +
>  tests/qemu-iotests/283                             |   6 +-
>  tests/qemu-iotests/283.out                         |   2 +-
>  tests/qtest/libqos/pci-pc.c                        |   2 +-
>  tests/qtest/tpm-util.c                             |   6 +-
>  tests/qtest/usb-hcd-ehci-test.c                    |   2 +-
>  tools/virtiofsd/fuse_lowlevel.h                    |   1 +
>  tools/virtiofsd/helper.c                           |  47 ++++++++
>  tools/virtiofsd/passthrough_ll.c                   |  22 ++--
>  tools/virtiofsd/seccomp.c                          |   1 +
>  util/aio-posix.c                                   |  13 ++
>  util/aio-win32.c                                   |   4 +
>  util/async.c                                       |   1 +
>  util/fdmon-io_uring.c                              |  13 +-
>  util/oslib-posix.c                                 |  35 ++++++
>  util/oslib-win32.c                                 |  13 ++
>  97 files changed, 1045 insertions(+), 377 deletions(-)
> 
> 

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Michael Roth]

Quoting Philippe Mathieu-Daudé (2020-09-04 04:20:00)
> On 9/3/20 10:58 PM, Michael Roth wrote:
> > Hi everyone,
> > 
> > The following new patches are queued for QEMU stable v5.0.1:
> > 
> >   https://github.com/mdroth/qemu/commits/stable-5.0-staging
> > 
> > Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
> > 
> >   https://wiki.qemu.org/Planning/5.0
> > 
> > Please respond here or CC qemu-stable@nongnu.org on any additional patches
> > you think should be included in the release.
> 
> Candidates:
> 
> b638627c723 ("hw/sd: Fix incorrect populated function switch status data
> structure")

I get the following breakage with this patch applied, and also see the
error upstream, so I've left these out for now:

  mdroth@sif:~/w/qemu-build2$ AVOCADO_ALLOW_LARGE_STORAGE=1 tests/venv/bin/avocado run -t machine:orangepi-pc tests/acceptance/
  /home/mdroth/dev/kvm/qemu-build2/tests/venv/lib/python3.6/site-packages/avocado/plugins/run.py:214: FutureWarning: The following arguments will be changed to boolean soon: sysinfo, output-check, failfast, keep-tmp and ignore-missing-references.
    FutureWarning)
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
  JOB ID     : 1efcdbf82a9cb1313078641c403802980018b53d
  JOB LOG    : /home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcdbf/job.log
   (1/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi: PASS (4.41 s)
   (2/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd: PASS (17.86 s)
   (3/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd: PASS (51.11 s)
   (4/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic: INTERRUPTED: Test interrupted by SIGTERM\nRunner error occurred: Timeout reached\nOriginal status: ERROR\n{'name': '4-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic', 'logdir': '/home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcd... (90.58 s)
   (5/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9: INTERRUPTED: Test interrupted by SIGTERM\nRunner error occurred: Timeout reached\nOriginal status: ERROR\n{'name': '5-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9', 'logdir': '/home/mdroth/avocado/job-results/job-2020-09-10T11.0... (90.64 s)
  RESULTS    : PASS 3 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 2 | CANCEL 0
  JOB TIME   : 255.19 s
  JOB HTML   : /home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcdbf/results.html

> 6d2d4069c47 ("hw/sd: Correct the maximum size of a Standard Capacity SD
> Memory Card")
> 
> And maybe "memory: assert and define MemoryRegionOps callbacks"
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg729048.html
> 
> > 
> > Thanks!
> 

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Philippe Mathieu-Daudé]

On 9/10/20 8:16 PM, Michael Roth wrote:
> Quoting Philippe Mathieu-Daudé (2020-09-04 04:20:00)
>> On 9/3/20 10:58 PM, Michael Roth wrote:
>>> Hi everyone,
>>>
>>> The following new patches are queued for QEMU stable v5.0.1:
>>>
>>>   https://github.com/mdroth/qemu/commits/stable-5.0-staging
>>>
>>> Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
>>>
>>>   https://wiki.qemu.org/Planning/5.0
>>>
>>> Please respond here or CC qemu-stable@nongnu.org on any additional patches
>>> you think should be included in the release.
>>
>> Candidates:
>>
>> b638627c723 ("hw/sd: Fix incorrect populated function switch status data
>> structure")
> 
> I get the following breakage with this patch applied, and also see the
> error upstream, so I've left these out for now:

Thanks, confirmed :/

> 
>   mdroth@sif:~/w/qemu-build2$ AVOCADO_ALLOW_LARGE_STORAGE=1 tests/venv/bin/avocado run -t machine:orangepi-pc tests/acceptance/
>   /home/mdroth/dev/kvm/qemu-build2/tests/venv/lib/python3.6/site-packages/avocado/plugins/run.py:214: FutureWarning: The following arguments will be changed to boolean soon: sysinfo, output-check, failfast, keep-tmp and ignore-missing-references.
>     FutureWarning)
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
>   Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
>   JOB ID     : 1efcdbf82a9cb1313078641c403802980018b53d
>   JOB LOG    : /home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcdbf/job.log
>    (1/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi: PASS (4.41 s)
>    (2/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_initrd: PASS (17.86 s)
>    (3/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd: PASS (51.11 s)
>    (4/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic: INTERRUPTED: Test interrupted by SIGTERM\nRunner error occurred: Timeout reached\nOriginal status: ERROR\n{'name': '4-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic', 'logdir': '/home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcd... (90.58 s)
>    (5/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9: INTERRUPTED: Test interrupted by SIGTERM\nRunner error occurred: Timeout reached\nOriginal status: ERROR\n{'name': '5-tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9', 'logdir': '/home/mdroth/avocado/job-results/job-2020-09-10T11.0... (90.64 s)
>   RESULTS    : PASS 3 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 2 | CANCEL 0
>   JOB TIME   : 255.19 s
>   JOB HTML   : /home/mdroth/avocado/job-results/job-2020-09-10T11.08-1efcdbf/results.html

Re: [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10

[Philippe Mathieu-Daudé]

On 9/10/20 8:16 PM, Michael Roth wrote:
> Quoting Philippe Mathieu-Daudé (2020-09-04 04:20:00)
>> On 9/3/20 10:58 PM, Michael Roth wrote:
>>> Hi everyone,
>>>
>>> The following new patches are queued for QEMU stable v5.0.1:
>>>
>>>   https://github.com/mdroth/qemu/commits/stable-5.0-staging
>>>
>>> Patch freeze is 2020-09-10, and the release is planned for 2020-09-15:
>>>
>>>   https://wiki.qemu.org/Planning/5.0
>>>
>>> Please respond here or CC qemu-stable@nongnu.org on any additional patches
>>> you think should be included in the release.
>>
>> Candidates:
>>
>> b638627c723 ("hw/sd: Fix incorrect populated function switch status data
>> structure")
> 
> I get the following breakage with this patch applied, and also see the
> error upstream

>> 6d2d4069c47 ("hw/sd: Correct the maximum size of a Standard Capacity SD
>> Memory Card")

^ the 2nd one is OK for stable.