[Linux xfs bug] KASAN: slab-use-after-free Read in fserror_worker

[Sam Sun]

Dear developers and maintainers,

We encountered a slab-use-after-free bug while using our modified
syzkaller. This bug is successfully reproduced on kernel commit
37a93dd5c49b5fda807fd204edf2547c3493319c. Kernel crash log is listed
below.

[ 217.613191][ T9]
==================================================================
[ 217.613974][ T9] BUG: KASAN: slab-use-after-free in
iput.part.0+0xe43/0xf50
[ 217.614674][ T9] Read of size 4 at addr ff1100002b0e11b8 by task
kworker/0:0/9
[ 217.615384][ T9]
[ 217.615614][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
tainted 6.19.0-08320-g37a93dd5c49b #11 PREEMPT(full)
[ 217.615630][ T9] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[ 217.615639][ T9] Workqueue: events fserror_worker
[ 217.615654][ T9] Call Trace:
[ 217.615659][ T9] <TASK>
[ 217.615663][ T9] dump_stack_lvl+0x116/0x1b0
[ 217.615687][ T9] print_report+0xca/0x5f0
[ 217.615706][ T9] ? __phys_addr+0xeb/0x180
[ 217.615727][ T9] ? iput.part.0+0xe43/0xf50
[ 217.615742][ T9] ? iput.part.0+0xe43/0xf50
[ 217.615758][ T9] kasan_report+0xca/0x100
[ 217.615776][ T9] ? iput.part.0+0xe43/0xf50
[ 217.615793][ T9] iput.part.0+0xe43/0xf50
[ 217.615809][ T9] ? _raw_spin_unlock_irqrestore+0x41/0x70
[ 217.615831][ T9] ? __pfx_xfs_fs_report_error+0x10/0x10
[ 217.615851][ T9] iput+0x35/0x40
[ 217.615866][ T9] fserror_worker+0x1da/0x320
[ 217.615879][ T9] ? __pfx_fserror_worker+0x10/0x10
[ 217.615894][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 217.615916][ T9] process_one_work+0x992/0x1b00
[ 217.615934][ T9] ? __pfx_process_srcu+0x10/0x10
[ 217.615952][ T9] ? __pfx_process_one_work+0x10/0x10
[ 217.615969][ T9] ? __pfx_fserror_worker+0x10/0x10
[ 217.615983][ T9] worker_thread+0x67e/0xe90
[ 217.616000][ T9] ? __pfx_worker_thread+0x10/0x10
[ 217.616016][ T9] kthread+0x38d/0x4a0
[ 217.616030][ T9] ? __pfx_kthread+0x10/0x10
[ 217.616044][ T9] ret_from_fork+0xb32/0xde0
[ 217.616058][ T9] ? __pfx_ret_from_fork+0x10/0x10
[ 217.616070][ T9] ? __pfx_kthread+0x10/0x10
[ 217.616084][ T9] ? __switch_to+0x767/0x10d0
[ 217.616100][ T9] ? __pfx_kthread+0x10/0x10
[ 217.616114][ T9] ret_from_fork_asm+0x1a/0x30
[ 217.616134][ T9] </TASK>
[ 217.616138][ T9]
[ 217.631722][ T9] Allocated by task 12552:
[ 217.632138][ T9] kasan_save_stack+0x24/0x50
[ 217.632588][ T9] kasan_save_track+0x14/0x30
[ 217.633034][ T9] __kasan_slab_alloc+0x87/0x90
[ 217.633498][ T9] kmem_cache_alloc_lru_noprof+0x23f/0x6c0
[ 217.634050][ T9] xfs_inode_alloc+0x80/0x910
[ 217.634496][ T9] xfs_iget+0x893/0x3020
[ 217.634903][ T9] xfs_lookup+0x323/0x6c0
[ 217.635320][ T9] xfs_vn_lookup+0x154/0x1d0
[ 217.635752][ T9] lookup_open.isra.0+0x64a/0x1030
[ 217.636244][ T9] path_openat+0xe97/0x2cf0
[ 217.636663][ T9] do_file_open+0x216/0x470
[ 217.637086][ T9] do_sys_openat2+0xe6/0x250
[ 217.637523][ T9] __x64_sys_openat+0x13f/0x1f0
[ 217.637980][ T9] do_syscall_64+0x11b/0xf80
[ 217.638411][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 217.638959][ T9]
[ 217.639183][ T9] Freed by task 15:
[ 217.639541][ T9] kasan_save_stack+0x24/0x50
[ 217.639987][ T9] kasan_save_track+0x14/0x30
[ 217.640431][ T9] kasan_save_free_info+0x3b/0x60
[ 217.640899][ T9] __kasan_slab_free+0x61/0x80
[ 217.641351][ T9] kmem_cache_free+0x139/0x6a0
[ 217.641804][ T9] rcu_core+0x59e/0x1130
[ 217.642210][ T9] handle_softirqs+0x1d4/0x8e0
[ 217.642667][ T9] run_ksoftirqd+0x3a/0x60
[ 217.643089][ T9] smpboot_thread_fn+0x3d4/0xaa0
[ 217.643555][ T9] kthread+0x38d/0x4a0
[ 217.643939][ T9] ret_from_fork+0xb32/0xde0
[ 217.644373][ T9] ret_from_fork_asm+0x1a/0x30
[ 217.644821][ T9]
[ 217.645043][ T9] Last potentially related work creation:
[ 217.645565][ T9] kasan_save_stack+0x24/0x50
[ 217.646019][ T9] kasan_record_aux_stack+0xa7/0xc0
[ 217.646499][ T9] __call_rcu_common.constprop.0+0xa4/0xa00
[ 217.647058][ T9] xfs_iget+0x100e/0x3020
[ 217.647466][ T9] xfs_lookup+0x323/0x6c0
[ 217.647874][ T9] xfs_vn_lookup+0x154/0x1d0
[ 217.648310][ T9] lookup_open.isra.0+0x64a/0x1030
[ 217.648794][ T9] path_openat+0xe97/0x2cf0
[ 217.649217][ T9] do_file_open+0x216/0x470
[ 217.649647][ T9] do_sys_openat2+0xe6/0x250
[ 217.650089][ T9] __x64_sys_openat+0x13f/0x1f0
[ 217.650546][ T9] do_syscall_64+0x11b/0xf80
[ 217.650983][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 217.651537][ T9]
[ 217.651761][ T9] The buggy address belongs to the object at
ff1100002b0e0f00
[ 217.651761][ T9] which belongs to the cache xfs_inode of size 1784
[ 217.653033][ T9] The buggy address is located 696 bytes inside of
[ 217.653033][ T9] freed 1784-byte region [ff1100002b0e0f00,
ff1100002b0e15f8)
[ 217.654300][ T9]
[ 217.654521][ T9] The buggy address belongs to the physical page:
[ 217.654681][T12608] XFS (loop1): Ending clean mount
[ 217.655107][ T9] page: refcount:0 mapcount:0
mapping:0000000000000000 index:0xff1100002b0e3c00 pfn:0x2b0e0
[ 217.656518][ T9] head: order:3 mapcount:0 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 217.657289][ T9] memcg:ff1100002b0e0721
[ 217.657686][ T9] flags:
0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
[ 217.658474][ T9] page_type: f5(slab)
[ 217.658853][ T9] raw: 00fff00000000240 ff1100001cf1a280
ffd400000090d010 ff1100001cf1b648
[ 217.659642][ T9] raw: ff1100002b0e3c00 0000078000110008
00000000f5000000 ff1100002b0e0721
[ 217.660438][ T9] head: 00fff00000000240 ff1100001cf1a280
ffd400000090d010 ff1100001cf1b648
[ 217.661243][ T9] head: ff1100002b0e3c00 0000078000110008
00000000f5000000 ff1100002b0e0721
[ 217.662038][ T9] head: 00fff00000000003 ffd4000000ac3801
00000000ffffffff 00000000ffffffff
[ 217.662829][ T9] head: ffffffffffffffff 0000000000000000
00000000ffffffff 0000000000000008
[ 217.663624][ T9] page dumped because: kasan: bad access detected
[ 217.664211][ T9] page_owner tracks the page as allocated
[ 217.664732][ T9] page last allocated via order 3, migratetype
Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__2
[ 217.665172][T12608] XFS (loop1): Quotacheck needed: Please wait.
[ 217.666765][ T9] post_alloc_hook+0x1ca/0x240
[ 217.667789][ T9] get_page_from_freelist+0xde8/0x2ae0
[ 217.668307][ T9] __alloc_frozen_pages_noprof+0x256/0x20f0
[ 217.668868][ T9] new_slab+0xa6/0x6b0
[ 217.669335][ T9] refill_objects+0x256/0x3f0
[ 217.669774][ T9] __pcs_replace_empty_main+0x1b1/0x620
[ 217.670284][ T9] kmem_cache_alloc_lru_noprof+0x586/0x6c0
[ 217.670818][ T9] xfs_inode_alloc+0x80/0x910
[ 217.671257][ T9] xfs_iget+0x893/0x3020
[ 217.671656][ T9] xfs_trans_metafile_iget+0xa8/0x3c0
[ 217.672149][ T9] xfs_rtginode_load+0x655/0xb00
[ 217.672617][ T9] xfs_rtmount_inodes+0x17f/0x4c0
[ 217.673094][ T9] xfs_mountfs+0x1182/0x1fa0
[ 217.673525][ T9] xfs_fs_fill_super+0x1598/0x1f70
[ 217.674007][ T9] get_tree_bdev_flags+0x389/0x620
[ 217.674484][ T9] vfs_get_tree+0x93/0x340
[ 217.674909][ T9] page last free pid 10493 tgid 10493 stack trace:
[ 217.675511][ T9] free_unref_folios+0xa06/0x14e0
[ 217.675981][ T9] folios_put_refs+0x4b3/0x750
[ 217.676430][ T9] shmem_undo_range+0x553/0x12b0
[ 217.676893][ T9] shmem_evict_inode+0x39a/0xb90
[ 217.677369][ T9] evict+0x3a1/0xa90
[ 217.677745][ T9] iput.part.0+0x5bb/0xf50
[ 217.678166][ T9] iput+0x35/0x40
[ 217.678512][ T9] dentry_unlink_inode+0x296/0x470
[ 217.678991][ T9] __dentry_kill+0x1d2/0x600
[ 217.679428][ T9] finish_dput+0x75/0x460
[ 217.679838][ T9] dput.part.0+0x451/0x570
[ 217.680259][ T9] dput+0x1f/0x30
[ 217.680604][ T9] __fput+0x516/0xb50
[ 217.680979][ T9] task_work_run+0x16b/0x260
[ 217.681219][ T27] XFS (loop1): Metadata corruption detected at
xfs_dinode_verify.part.0+0x8e0/0x1870, inode 0x2443 dinode
[ 217.681410][ T9] exit_to_user_mode_loop+0x115/0x510
[ 217.682491][ T27] XFS (loop1): Unmount and run xfs_repair
[ 217.682981][ T9] do_syscall_64+0x714/0xf80
[ 217.683512][ T27] XFS (loop1): First 128 bytes of corrupted
metadata buffer:
[ 217.683940][ T9]
[ 217.683943][ T9] Memory state around the buggy address:
[ 217.685359][ T9] ff1100002b0e1080: fb fb fb fb fb fb fb fb fb
fb fb fb fb fb fb fb
[ 217.686100][ T9] ff1100002b0e1100: fb fb fb fb fb fb fb fb fb
fb fb fb fb fb fb fb
[ 217.686825][ T9] >ff1100002b0e1180: fb fb fb fb fb fb fb fb fb
fb fb fb fb fb fb fb
[ 217.687552][ T9] ^
[ 217.688091][ T9] ff1100002b0e1200: fb fb fb fb fb fb fb fb fb
fb fb fb fb fb fb fb
[ 217.688822][ T9] ff1100002b0e1280: fb fb fb fb fb fb fb fb fb
fb fb fb fb fb fb fb
[ 217.689558][ T9]
==================================================================
[ 217.708247][ T27] 00000000: 49 4e 41 ed 03 01 00 00 00 00 00 00
00 00 00 00 INA.............
[ 217.709103][ T27] 00000010: 00 00 00 02 00 00 00 00 00 00 00 00
00 00 00 00 ................
[ 217.711226][ T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 217.711923][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
tainted 6.19.0-08320-g37a93dd5c49b #11 PREEMPT(full)
[ 217.712915][ T9] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[ 217.713788][ T9] Workqueue: events fserror_worker
[ 217.714278][ T9] Call Trace:
[ 217.714594][ T9] <TASK>
[ 217.714876][ T9] dump_stack_lvl+0x3d/0x1b0
[ 217.715324][ T9] vpanic+0x679/0x710
[ 217.715709][ T9] panic+0xc2/0xd0
[ 217.716073][ T9] ? __pfx_panic+0x10/0x10
[ 217.716502][ T9] ? preempt_schedule_common+0x44/0xb0
[ 217.717019][ T9] ? iput.part.0+0xe43/0xf50
[ 217.717466][ T9] ? preempt_schedule_thunk+0x16/0x30
[ 217.717982][ T9] ? check_panic_on_warn+0x1f/0xc0
[ 217.718468][ T9] ? iput.part.0+0xe43/0xf50
[ 217.718915][ T9] check_panic_on_warn+0xb1/0xc0
[ 217.719392][ T9] ? iput.part.0+0xe43/0xf50
[ 217.719837][ T9] end_report+0x107/0x160
[ 217.720260][ T9] kasan_report+0xd8/0x100
[ 217.720696][ T9] ? iput.part.0+0xe43/0xf50
[ 217.721141][ T9] iput.part.0+0xe43/0xf50
[ 217.721570][ T9] ? _raw_spin_unlock_irqrestore+0x41/0x70
[ 217.722135][ T9] ? __pfx_xfs_fs_report_error+0x10/0x10
[ 217.722675][ T9] iput+0x35/0x40
[ 217.723033][ T9] fserror_worker+0x1da/0x320
[ 217.723480][ T9] ? __pfx_fserror_worker+0x10/0x10
[ 217.723974][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 217.724479][ T9] process_one_work+0x992/0x1b00
[ 217.724961][ T9] ? __pfx_process_srcu+0x10/0x10
[ 217.725448][ T9] ? __pfx_process_one_work+0x10/0x10
[ 217.725969][ T9] ? __pfx_fserror_worker+0x10/0x10
[ 217.726457][ T9] worker_thread+0x67e/0xe90
[ 217.726900][ T9] ? __pfx_worker_thread+0x10/0x10
[ 217.727395][ T9] kthread+0x38d/0x4a0
[ 217.727790][ T9] ? __pfx_kthread+0x10/0x10
[ 217.728235][ T9] ret_from_fork+0xb32/0xde0
[ 217.728680][ T9] ? __pfx_ret_from_fork+0x10/0x10
[ 217.729165][ T9] ? __pfx_kthread+0x10/0x10
[ 217.729606][ T9] ? __switch_to+0x767/0x10d0
[ 217.730066][ T9] ? __pfx_kthread+0x10/0x10
[ 217.730513][ T9] ret_from_fork_asm+0x1a/0x30
[ 217.730981][ T9] </TASK>
[ 217.731450][ T9] Kernel Offset: disabled
[ 217.731860][ T9] Rebooting in 86400 seconds..

Possible root cause (tentative):
fserror_report_file_metadata() appears to queue an async event that
keeps an inode pointer for later iput in the worker. In an XFS iget
cache-miss failure path, an inode can be marked sick / reported and
then torn down immediately via the local destroy/free path. If that
happens, the queued error event may still carry a pointer to an inode
that has already entered RCU free, and the later worker-side iput can
touch freed memory. In short, this looks like a lifetime mismatch
between asynchronous fserror event handling and early inode teardown
on an XFS iget failure path.

Our reproducible input is currently in syzlang version, the syz
reproducer is listed below(usage could be found at
https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md#using-a-c-reproducer):

# {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1
Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true
NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false
DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true
IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true
Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false
FaultCall:0 FaultNth:0}}
r0 = socket(0x400000000010, 0x3, 0x0)
syz_mount_image$xfs(&(0x7f0000009600),
&(0x7f0000009640)='./file0\x00', 0x200800,
&(0x7f0000000100)={[{@lazytime}, {@ikeep}, {@filestreams}, {@pquota},
{@nolargeio}]}, 0x4, 0x9681,
&(0x7f0000012cc0)="$eJzs2gnYpnPBuP/7GcYuY6ik1FREi6xZopoZzFBIlmhHlpSlpEKblBQqItqzb9nKEsrWSrK3UEKoZIm02Ib5H8/MM4xx8ta/93d46zzP43ju5bqv63q+9/dzLc+UzSZtNHEwmGswvXGDWTvv2slTxly9/h1Hbbngscudes8Bj15x8fEjzxNGnicOBoNRIx8PTV82dnDa6aMGs09b/kjzzj3P0PyDwfIjb0f2M1h5+tP8V8xYb+oszTrQoUce9pn+M60Fhn/F8IvDD9jriMFgMGam7YcGg6E9HvNFpW02YfKkR6wedhu2Gj3yeuafOab/zH/xYDD/mQM+PmZed+hJ+ErDv3OPF507ev0n4Xf/x7XZhMnrzOI/fC7ONrJs5eFzfNZz0Nisx/ltS2y+6sgUTjveBoPhS9yjzpX/iDabMGndweNf5wdHrXbhPlOnXzfnHEy/Ucw9GAzmGbm+zvdku9S/14SJK0y7Z894P8I+41jeg46LE9568kPDN+nBYLDQYDB27Rn3gqqqqvrPaMLEFdaA+/9cT3T/P+WURc/s/l9VVfWf2zoTJq4wfK+f5f4/3xPd/3de9KI9p/9v/+NXnr7VQ0/ul6iqqqp/qUnr4P1/zBPd/1de47J1u/9XVVX957bhetPu//PNcv9f+Inu/286ebXFRtab8XfDgzPtcmim/z/hgZmWzzbT8vtnWj56pv3MvP4cMy2/d6blcw5/BuuPGwzGzvjvBac8snjsuOHPRpbfN9Py8Y/8dzqLrznT8gkzLZ800/KJI2MdXj55puWTZ1p/7SeY6qqqqv8zbbjCpDUGM/139iOLF5nxOd3/LzjruqWfrPFWVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVXVf2YP3XH2uYPBYGgwGIwaDKYMRl7P/DyYOnXq1OH3p5x/+eVP2kD/bzR03rWTp4y5ev07jtpywWOXO/WeAx6Zpf/Y/vO/Qf07DfvPdfy4wWDHTZ7sodSTUOe/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5i3vojrPPHTkGRg0GUwYjr/eY8XzW/m9888iqq2566l0HP7Ll4uO3G3l13rWTp2z3JIz9SWho+LuOuXr9O47acsFjlzv1ngP+C86e//xvUP9O0/y3GxoMRs7vMcPn8voTNtx4qcFgcPBdp2660uDhz1YZ/my1sbMNZpu26VLTHtdanHe8x9rTn8cPPyz88D5Ombb/daYeNtvQLIOYqVecd+NR79jsnhVnfV7y8b/HqBkvjrj+jLunTp069VELR5rrcTaesf8Z32XW83xk7EsNj32ZXXZ49zLv3W33pbfbYYttt9526x2XW2GVFVdafrmVVn3ZMttst/3Wy05/fJw5GzftcY1/Zs7mm3XO7pgw85zN+t0eb87GPfGcTdvjlN2HNp4xZ7P/i3O2xhPP2bjtRn7R4uNHDzafNjVDg8Hia44e7Dr8Zrk5B4PF1xpZd5HhdVcfO2ow2P+RLzr8as6Hj8GhPYbX2WzSRhMfGdljv+FjrtOPWnHx8SPPE0aeJ04f4rjBI4fi2MFpp48anotHTfO8c88zNP9gsPzI25H9DFYd+fTQGetNnaVZBzr0yMM+03+mtcDwToZfvHPZs68ZPhdn2f7/Rf+/rv+P8Vpl6OGJGhr5GVlnuteEyes88rumTcPw3M02smzlYZNZ5+x/s8eMd9zsgzFPMN5J60xcYXjxLPM/YxM8vu5c4sIPTj+2xq88fauH/n+j0Hjne4LxrjMBxzvfE433+A9devr0Xf2vjXeWa9260x7H/zPXusETX+tmox1sfclis17rXvP4Q3zUeTxjjuacZaXHu9btesjyewzvf/wTX+vWHR776Edd60YNBouvMeNaN3zhmzR6sP/wm+WH30wePTh2+M0K097MPTh/+M1L377T9lsNL1h7xpwsO7zf8WOHprlfuPKtS049cOrUNUfGMn7so8c6cnyMm/l+PmHs9Mmcse2M/Q6vOmO/tzx9+meTRvY74V/Y74xtabx3LTD9s8kj+504y35HP8F+Z2z7mPNhqaGHL1yPc72ZNMv1ZuTfODN+3aN+5pj+M//Fg8H8Z5LvLOv+j9dMOn/neoLxTpi4whrD45vl/H34cKTz99LJVw/fK+YfDAYLDQZj154x9n+xoccb7+xPPN6JMN7Zn2i8Vx63w3r/C+MdzDTeRx1nm204/VhZe+Q4m/wvHL8ztp31OjZ62qfTL/tr/zPXsXGPuY59bLZRs0z2TD3e32xbwfrTXy/yyN+51550zIy5Hz3Lfv+nv9lm+i5DcB0bM8u/50etfcNgiOZ8j+NXv2zooCee89GDR//bYsacz9j2ieZ88j8z58964jn/Z/9OXur50z8fPcv4Z57zDfZ75r4z5nyOWfb7P8355Ce+dzx2zscPRtOcL3v/9Hl7ouvp4835jG1nzPnwV1xt7OyDtYbvWSNzPumfmfNF/neO83lg/emvt3540TlHnfr6GXM+6xz/T3M+6V+d83EPH+eLT/vseaMGc8wx2HWLXXbZebnpjzPeLj/9ka9F9147fZ6f6F76eEYztn2i82LNf8ZozD9lNPQ/GS06++MZPXJqHbnTzk/7/3stWvNfNRrwtejqY6bP2xP9XfR4cz5jW7oPLjzT9rP+O3TD9ab93T3fLPfBGZvgffCcs9bde8YuRzZ7cJZhzrivPjDT8tlmWn7/TMtHz7SfmdefY6bl9860fPgrzDHT+jNYxw3/m3dk+ZRHVh87/MfTuJHl9820fPwj2y6+5kzLJ8y0fNJMyyc+cmgsPnmm5ZNnWn/twb/YjP9NertZL/L1z9b//usuf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y1/cQ3ecfe7IMTBqMJgymP56aOR5sMfQBre/avh5MBiMXvnEqRs82eN9khs679rJU8Zcvf4dR2254LHLnXrPAf8FZ89//jeof6dp/tsNDQYj5/eY7QaDwfoTNtx4qcFgsMHUE1ceNXj4s0WGP1t97KjBYP+hR+1gzofXGdpjeJ3NJm00cTCYa2SNcY/5pY85jx614uLjR54njDxPnH59Gjd45HgdOzjt9FGD2actf6R5555naP7BYPmRtyP7Gaw8/Wn+K2asN3WWZh3o0CMP+0z/mdYCw79i+MWu205+9vBczbL9/5lmXKu3G/U/rtr57y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8nf3r/l3tPy3lai7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd/dP+s/x/3oc9eTU+e8uf3f5u8vfXf7iHrrj7HNHjoFRg8GUwfTXQ3uMPA+GTj7thSOHyOjdrjr6sCd7vE9yQ+ddO3nKmKvXv+OoLRc8drlT7zngv+Ds+c//BvXvNM1/u6HBYOT8HrPdYDBYf8KGGy81GAwOO/qq3UYNHv5skeHPVh87ajDYf+hRO5jz4XWG9hheZ7NJG00cDOYaWWPcY37pY86jR624+PiR5wkjzxOnX5/GDR45XscOTjt91GD2acsfad655xmafzBYfuTtyH4GK09/mv+KGetNnaVZBzr0yMM+03+mtcDwrxh+sdd81548PFezbP9/phnX6u1G/Y+rdv67y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/uIfuOPvckWNg1GAwZTD99aiR56E9br7pIxsPPw+/X3Dtva99ssf7JDd03rWTp4y5ev07jtpywWOXO/WeA/4Lzp7//G9Q/07D/nMdP24w2HGTJ3so9STU+e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7u8neXv7v83eXvLn93+bvL313+7vJ3l7+7/N3l7y5/d/m7y99d/u7yd5e/u/zd5e8uf3f5u8vfXf7iHrrj7HNHXo56ZOmoPTousKHzrp08ZczV699x1JYLHrvcqfcc8GQP6N/tcfw/lj9m8d8zf8zi//H8MYv/J/LHLP575Y9Z/D+ZP2bx3zt/zOL/qfwxi/+n88cs/vvkj1n8980fs/jvlz9m8f9M/pjF/7P5Yxb/z+WPWfz3zx+z+B+QP2bx/3z+mMX/wPwxi/9B+WMW/y/kj1n8D84fs/gfkj9m8f9i/pjF/0v5Yxb/L+ePWfy/kj9m8f9q/pjF/2v5Yxb/r+ePWfy/kT9m8T80f8zif1j+mMX/8Pwxi/8R+WMW/yPzxyz+R+WPWfyPzh+z+B+TP2bxPzZ/zOJ/XP6Yxf/4/DGL/zfzxyz+J+SPWfxPzB+z+J+UP2bxPzl/zOJ/Sv6Yxf9b+WMW/2/nj1n8T80fs/iflj9m8T89f8zif0b+mMX/O/ljFv8z88cs/mflj1n8z84fs/h/N3/M4v+9/LFp/sMT9V/uf07+mOX8Pzd/zOJ/Xv6Yxf/8/DGL/wX5Yxb/7+ePWfx/kD9m8f9h/pjF/0f5Yxb/H+ePWfx/kj9m8b8wf8zif1H+mMX/p/ljFv+L88cs/j/LH7P4X5I/ZvG/NH/M4n9Z/pjF//L8MYv/FfljFv8r88cs/lflj1n8f54/ZvH/Rf6Yxf+X+WMW/1/lj1n8r84fs/hfkz9m8f91/pjF/zf5Yxb/a/PHLP6/zR+z+F+XP2bxvz5/zOJ/Q/6Yxf93+WMW/xvzxyz+N+WPWfxvzh+z+P8+f8zi/4f8MYv/H/PHLP635I9Z/P+UP2bxvzV/zOJ/W/6Yxf/2/DGL/x35Yxb/P+ePWfzvzB+z+N+VP2bx/0v+mMX/7vwxi/9f88cs/n/LH7P4/z1/zOL/j/wxi/89+WMW/3vzxyz+9+WPWfzvzx+z+D+QP2bxn5I/ZvF/MH/M4v9Q/pjFf2r+mMR/tkH+mMV/KH/M4j8qf8ziP1v+mMV/9vwxi//o/DGL/xz5Yxb/OfPHLP5z5Y9Z/OfOH7P4z5M/ZvGfN3/M4j9f/pjFf/78MYv/U/LHLP4L5I9Z/Mfkj1n8F8wfs/iPzR+z+C+UP2bxXzh/zOL/1Pwxi//T8scs/k/PH7P4L5I/ZvF/Rv6YxX/R/DGL/zPzxyz+z8ofs/gvlj9m8X92/pjF/zn5Yxb/cfljFv/n5o9Z/J+X/2OafeTZ4P/8/DHL+b94/pjFf4n8MYv/C/LHLP5L5o9Z/JfKH7P4vzB/zOL/ovwxi/+L88cs/i/JH7P4L50/ZvF/af6YxX+Z/DGL/7L5Yxb/5fLHLP7L549Z/FfIH7P4r5g/ZvF/Wf6YxX+l/DGL/8r5Yxb/VfLHLP6r5o9Z/F+eP2bxXy1/zOK/ev6Yxf8V+WMW/1fmj1n8X5U/ZvEfnz9m8Z+QP2bxn5g/ZvFfI3/M4r9m/pjFf638MYv/pPwxi/9klf9s//SaFv+1Vf7/fBb/dfLHLP6vzh+z+L8mf8ziv27+mMV/vfwxi//6+WMW/9fmj1n8N8gfs/i/Ln/M4r9h/pjFf6P8MYv/xvljFv9N8scs/q/PH7P4b5o/ZvHfLH/M4v+G/DGL/xvzxyz+b8ofs/i/OX/M4v+W/DGL/1vzxyz+b8sfs/hvnj9m8d8if8ziv2X+mMX/7fljFv+t8scs/lvnj1n8t8kfs/hvmz9m8X9H/pjFf7v8MYv/O/PHLP7vyh+z+G+fP2bx3yF/zOK/Y/6YxX+n/DGL/7vzxyz+78kfs/jvnD9m8X9v/pjFf5f8MYv/+/LHLP7vzx+z+H8gf8ziv2v+mMV/t/wxi//u+WMW/w/mj1n8P5Q/ZvH/cP6Yxf8j+WMW/4/mj1n898gfs/h/LH/M4r9n/pjF/+P5Yxb/T+SPWfz3yh+z+H8yf8ziv3f+mMX/U/ljFv9P549Z/PfJH7P475s/ZvHfL3/M4v+Z/DGL/2fzxyz+n8sfs/jvnz9m8T8gf8zi//n8MYv/gfljFv+D8scs/l/IH7P4H5w/ZvE/JH/M4v/F/DGL/5fyxyz+X84fs/h/JX/M4v/V/DGL/9fyxyz+X88fs/h/I3/M4n9o/pjF/7D8MYv/4fljFv8j8scs/kfmj1n8j8ofs/gfnT9m8T8mf8zif2z+mMX/uPwxi//x+WMW/2/mj1n8T8gfs/ifmD9m8T8pf8zif3L+mMX/lPwxi/+38scs/t/OH7P4n5o/ZvE/LX/M4n96/pjF/4z8MYv/d/LHLP5n5o9Z/M/KH7P4n50/ZvH/bv6Yxf97+WMW/3Pyxyz+5+aPWfzPyx+z+J+fP2bxvyB/zOL//fwxi/8P8scs/j/MH7P4/yh/zOL/4/wxi/9P8scs/hfmj1n8L8ofs/j/NH/M4n9x/pjF/2f5Yxb/S/LHLP6X5o9Z/C/LH7P4X54/ZvG/In/M4n9l/pjF/6r8MYv/z/PHLP6/yB+z+P8yf8zi/6v8MYv/1fljFv9r8scs/r/OH7P4/yZ/zOJ/bf6Yxf+3+WMW/+vyxyz+1+ePWfxvyB+z+P8uf8zif2P+mMX/pvwxi//N+WMW/9/nj1n8/5A/ZvH/Y/6Yxf+W/DGL/5/yxyz+t+aPWfxvyx+z+N+eP2bxvyN/zOL/5/wxi/+d+WMW/7vyxyz+f8kfs/jfnT9m8f9r/pjF/2/5Yxb/v+ePWfz/kT9m8b8nf8zif2/+mMX/vvwxi//9+WMW/wfyxyz+U/LHLP4P5o9Z/B/KH7P4T80fk/jPPsgfs/gP5Y9Z/Eflj1n8Z8sfs/jPnj9m8R+dP2bxnyN/zOI/Z/6YxX+u/DGL/9z5Yxb/efLHLP7z5o9Z/OfLH7P4z58/ZvF/Sv6YxX+B/DGL/5j8MYv/gvljFv+x+WMW/4Xyxyz+C+ePWfyfmj9m8X9a/pjF/+n5Yxb/RfLHLP7PyB+z+C+aP2bxf2b+mMX/WfljFv/F8scs/s/OH7P4Pyd/zOI/Ln/M4v/c/DGL//Pyxyz+z88fs/gvnj9m8V8if8zi/4L8MYv/kvljFv+l8scs/i/MH7P4vyh/zOL/4vwxi/9L8scs/kvnj1n8X5o/ZvFfJn/M4r9s/pjFf7n8MYv/8vljFv8V8scs/ivmj1n8X5Y/ZvFfKX/M4r9y/pjFf5X8MYv/qvljFv+X549Z/FfLH7P4r54/ZvF/Rf6Yxf+V+WMW/1flj1n8x+ePWfwn5I9Z/Cfmj1n818gfs/ivmT9m8V8rf8ziPyl/zOI/OX/M4r92/pjFf538MYv/q/PHLP6vyR+z+K+bP2bxXy9/zOK/fv6Yxf+1+WMW/w3yxyz+rxtcnj9k8d+w8x+z+G+UP2bx3zh/zOK/Sf6Yxf/1+WMW/03zxyz+m+WPWfzfkD9m8X9j/pjF/035Yxb/N+ePWfzfkj9m8X9r/pjF/235Yxb/zfPHLP5b5I9Z/LfMH7P4vz1/zOK/Vf6YxX/r/DGL/zb5Yxb/bfPHLP7vyB+z+G+XP2bxf2f+mMX/XfljFv/t88cs/jvkj1n8d8wfs/jvlD9m8X93/pjF/z35Yxb/nfPHLP7vzR+z+O+SP2bxf1/+mMX//fljFv8P5I8NPTB1ev/l/rvmj1nO/93yxyz+u+ePWfw/mD9m8f9Q/pjF/8P5Yxb/j+SPWfw/mj9m8d8jf8zi/7H8MYv/nvljFv+P549Z/D+RP2bx3yt/zOL/yfwxi//e+WMW/0/lj1n8P50/ZvHfJ3/M4r9v/pjFf7/8MYv/Z/LHLP6fzR+z+H8uf8ziv3/+mMX/gPwxi//n88cs/gfmj1n8D8ofs/h/IX/M4n9w/pjF/5D8MYv/F/PHLP5fyh+z+H85f8zi/5X8MYv/V/PHLP5fyx+z+H89f8zi/438MYv/ofljFv/D8scs/ofnj1n8j8gfs/gfmT9m8T8qf8zif3T+mMX/mPwxi/+x+WMW/+Pyxyz+x+ePWfy/mT9m8T8hf8zif2L+mMX/pPwxi//J+WMW/1Pyxyz+38ofs/h/O3/M4n9q/pjF/7T8MYv/6fljFv8z8scs/t/JH7P4n5k/ZvE/K3/M4n92/pjF/7v5Yxb/7+WPWfzPyR+z+J+bP2bxPy9/zOJ/fv6Yxf+C/DGL//fzxyz+P8gfs/j/MH/M4v+j/DGL/4/zxyz+P8kfs/hfmD9m8b8of8zi/9P8MYv/xfljFv+f5Y9Z/C/JH7P4X5o/ZvG/LH/M4n95/pjF/4r8MYv/lfljFv+r8scs/j/PH7P4/yJ/zOL/y/wxi/+v8scs/lfnj1n8r8kfs/j/On/M4v+b/DGL/7X5Yxb/3+aPWfyvyx+z+F+fP2bxvyF/zOL/u/wxi/+N+WMW/5vyxyz+N+ePWfx/nz9m8f9D/pjF/4/5Yxb/W/LHLP5/yh+z+N+aP2bxvy1/zOJ/e/6Yxf+O/DGL/5/zxyz+d+aPWfzvyh+z+P8lf8zif3f+mMX/r/ljFv+/5Y9Z/P+eP2bx/0f+mMX/nvwxi/+9+WMW//vyxyz+9+ePWfwfyB+z+E/JH7P4P5g/ZvF/KH/M4j81f0ziP3qQP2bxH8ofs/iPyh+z+M+WP2bxnz1/zOI/On/M4j9H/pjFf878MYv/XPljFv+588cs/vPkj1n8580fs/jPlz9m8Z8/f8zi/5T8MYv/AvljFv8x+WMW/wXzxyz+Y/PHLP4L5Y9Z/BfOH7P4PzV/zOL/tPwxi//T88cs/ovkj1n8n5E/ZvFfNH/M4v/M/DGL/7Pyxyz+i+WPWfyfnT9m8X9O/pjFf1z+mMX/ufljFv/n5Y9Z/J+fP2bxXzx/zOK/RP6Yxf8F+WMW/yXzxyz+S+WPWfxfmD9m8X9R/pjF/8X5Yxb/l+SPWfyXzh+z+L80f8ziv0z+mMV/2fwxi/9y+WMW/+Xzxyz+K+SPWfxXzB+z+L8sf8ziv1L+mMV/5fwxi/8q+WMW/1Xzxyz+L88fs/ivlj9m8V89f8zi/4r8MYv/K/PHLP6vyh+z+I/PH7P4T8gfs/hPzB+z+K+RP2bxXzN/zOK/Vv6YxX9S/pjFf3L+mMV/7fwxi/86+WMW/1fnj1n8X5M/ZvFfN3/M4r9e/pjFf/38MYv/a/PHLP4b5I9Z/F+XP2bx3zB/zOK/Uf6YxX/j/DGL/yb5Yxb/1+ePWfw3zR+z+G+WP2bxf0P+mMX/jfljFv835Y9Z/N+cP2bxf0v+mMX/rfljFv+35Y9Z/DfPH7P4b5E/ZvHfMn/M4v/2/DGL/1b5Yxb/rfPHLP7b5I9Z/LfNH7P4vyN/zOK/Xf6Yxf+d+WMW/3flj1n8t88fs/jvkD9m8d8xf8ziv1P+mMX/3fljFv/35I9Z/HfOH7P4vzd/zOK/S/6Yxf99+WMW//fnj1n8P5A/ZvHfNX/M4r9b/pjFf/f8MYv/B/PHLP4fyh+z+H84f8zi/5H8MYv/R/PHLP575I9Z/D+WP2bx3zN/zOL/8fwxi/8n8scs/nvlj1n8P5k/ZvHfO3/M4v+p/DGL/6fzxyz+++SPWfz3zR+z+O+XP2bx/0z+mMX/s/ljFv/P5Y9Z/PfPH7P4H5A/ZvH/fP6Yxf/A/DGL/0H5Yxb/L+SPWfwPzh+z+B+SP2bx/2L+mMX/S/ljFv8v549Z/L+SP2bx/2r+mMX/a/ljFv+v549Z/L+RP2bxPzR/zOJ/WP6Yxf/w/DGL/xH5Yxb/I/PHLP5H5Y9Z/I/OH7P4H5M/ZvE/Nn/M4n9c/pjF//j8MYv/N/PHLP4n5I9Z/E/MH7P4n5Q/ZvE/OX/M4n9K/pjF/1v5Yxb/b+ePWfxPzR+z+J+WP2bxPz1/zOJ/Rv6Yxf87+WMW/zPzxyz+Z+WPWfzPzh+z+H83f8zi/738MYv/OfljFv9z88cs/uflj1n8z88fs/hfkD9m8f9+/pjF/wf5Yxb/H+aPWfx/lD9m8f9x/pjF/yf5Yxb/C/PHLP4X5Y9Z/H+aP2bxvzh/zOL/s/wxi/8l+WMW/0vzxyz+l+WPWfwvzx+z+F+RP2bxvzJ/zOJ/Vf6Yxf/n+WMW/1/kj1n8f5k/ZvH/Vf6Yxf/q/DGL/zX5Yxb/X+ePWfx/kz9m8b82f8zi/9v8MYv/dfljFv/r88cs/jfkj1n8f5c/ZvG/MX/M4n9T/pjF/+b8MYv/7/PHLP5/yB+z+P8xf8zif0v+mMX/T/ljFv9b88cs/rflj1n8b88fs/jfkT9m8f9z/pjF/878MYv/XfljFv+/5I9Z/O/OH7P4/zV/zOL/t/wxi//f88cs/v/IH7P435M/ZvG/N3/M4n9f/pjF//78MYv/A/ljFv8p+WMW/wfzxyz+D+WPWfyn5o9J/OcY5I9Z/Ifyxyz+o/LHLP6z5Y9Z/GfPH7P4j84fs/jPkT9m8Z8zf8ziP1f+mMV/7vwxi/88+WMW/3nzxyz+8+WPWfznzx+z+D8lf8ziv0D+mMV/TP6YxX/B/DGL/9j8MYv/QvljFv+F88cs/k/NH7P4Py1/zOL/9Pwxi/8i+WMW/2fkj1n8F80fs/g/M3/M4v+s/DGL/2L5Yxb/Z+ePWfyfk/8s7THt0eI/Ln/M4v/c/DGL//Pyxyz+z88fs/gvnj9m8V8if8zi/4L8MYv/kvljFv+l8scs/i/MH7P4vyh/zOL/4vwxi/9L8scs/kvnj1n8X5o/ZvFfJn/M4r9s/pjFf7n8MYv/8vljFv8V8scs/ivmj1n8X5Y/ZvFfKX/M4r9y/pjFf5X8MYv/qvljFv+X549Z/FfLH7P4r54/ZvF/Rf6Yxf+V+WMW/1flj1n8x+ePWfwn5I9Z/Cfmj1n818gfs/ivmT9m8V8rf8ziPyl/zOI/OX/M4r92/pjFf538MYv/q/PHLP6vyR+z+K+bP2bxXy9/zOK/fv6Yxf+1+WMW/w3yxyz+r8sfs/hvmD9m8d8of8ziv3H+mMV/k/wxi//r88cs/pvmj1n8N8sfs/i/IX/M4v/G/DGL/5vyxyz+b84fs/i/JX/M4v/W/DGL/9vyxyz+m+ePWfy3yB+z+G+ZP2bxf3v+mMV/q/wxi//W+WMW/23yxyz+2+aPWfzfkT9m8d8uf8zi/878MYv/u/LHLP7b549Z/HfIH7P475g/ZvHfKX/M4v/u/DGL/3vyxyz+O+ePWfzfmz9m8d8lf8zi/778MYv/+/PHLP4fyB+z+O+aP2bx3y1/zOK/e/6Yxf+D+WMW/w/lj1n8P5w/ZvH/SP6Yxf+j+WMW/z3yxyz+H8sfs/jvmT9m8f94/pjF/xP5Yxb/vfLHLP6fzB+z+O+dP2bx/1T+mMX/0/ljFv998scs/vvmj1n898sfs/h/Jn/M4v/Z/DGL/+fyxyz+++ePWfwPyB+z+H8+f8zif2D+mMX/oPwxi/8X8scs/gfnj1n8D8kfs/h/MX/M4v+l/DGL/5fzxyz+X8kfs/h/NX/M4v+1/DGL/9fzxyz+38gfs/gfmj9m8T8sf8zif3j+mMX/iPwxi/+R+WMW/6Pyxyz+R+ePWfyPyR+z+B+bP2bxPy5/zOJ/fP6Yxf+b+WMW/xPyxyz+J+aPWfxPyh+z+J+cP2bxPyV/zOL/rfwxi/+388cs/qfmj1n8T8sfs/ifnj9m8T8jf8zi/538MYv/mfljFv+z8scs/mfnj1n8v5s/ZvH/Xv6Yxf+c/DGL/7n5Yxb/8/LHLP7n549Z/C/IH7P4fz9/zOL/g/wxi/8P88cs/j/KH7P4/zh/zOL/k/wxi/+F+WMW/4vyxyz+P80fs/hfnD9m8f9Z/pjF/5L8MYv/pfljFv/L8scs/pfnj1n8r8gfs/hfmT9m8b8qf8zi//P8MYv/L/LHLP6/zB+z+P8qf8zif3X+mMX/mvwxi/+v88cs/r/JH7P4X5s/ZvH/bf6Yxf+6/DGL//X5Yxb/G/LHLP6/yx+z+N+YP2bxvyl/zOJ/c/6Yxf/3+WMW/z/kj1n8/5g/ZvG/JX/M4v+n/DGL/635Yxb/2/LHLP63549Z/O/IH7P4/zl/zOJ/Z/6Yxf+u/DGL/1/yxyz+d+ePWfz/mj9m8f9b/pjF/+/5Yxb/f+SPWfzvyR+z+N+bP2bxvy9/zOJ/f/6Yxf+B/DGL/5T8MYv/g/ljFv+H8scs/lPzxyT+cw7yxyz+Q/ljFv9R+WMW/9nyxyz+s+ePWfxH549Z/OfIH7P4z5k/ZvGfK3/M4j93/pjFf578MYv/vPljFv/58scs/vPnj1n8n5I/ZvFfIH/M4j8mf8ziv2D+mMV/bP6YxX+h/DGL/8L5Yxb/p+aPWfyflj9m8X96/pjFf5H8MYv/M/LHLP6L5o9Z/J+ZP2bxf1b+mMV/sfwxi/+z88cs/s/JH7P4j8sfs/g/N3/M4v+8/DGL//Pzxyz+i+ePWfyXyB+z+L8gf8ziv2T+mMV/qfwxi/8L88cs/i/KH7P4vzh/zOL/kvwxi//S+WMW/5fmj1n8l8kfs/gvmz9m8V8uf8ziv3z+mMV/hfwxi/+K+WMW/5flj1n8V8ofs/ivnD9m8V8lf8ziv2r+mMX/5fljFv/V8scs/qvnj1n8X5E/ZvF/Zf6Yxf9V+WMW//H5Yxb/CfljFv+J+WMW/zXyxyz+a+aPWfzXyh+z+E/KH7P4T84fs/ivnT9m8V8nf8zi/+r8MYv/a/LHLP7r5o9Z/NfLH7P4r58/ZvF/bf6YxX+D/DGL/+vyxyz+G+aPWfw3yh+z+G+cP2bx3yR/zOL/+vwxi/+m+WMW/83yxyz+b8gfs/i/MX/M4v+m/DGL/5vzxyz+b8kfs/i/NX/M4v+2/DGL/+b5Yxb/LfLHLP5b5o9Z/N+eP2bx3yp/zOK/df6YxX+b/DGL/7b5Yxb/d+SPWfy3yx+z+L8zf8zi/678MYv/9vljFv8d8scs/jvmj1n8d8ofs/i/O3/M4v+e/DGL/875Yxb/9+aPWfx3yR+z+L8vf8zi//78MYv/B/LHLP675o9Z/HfLH7P4754/ZvH/YP6Yxf9D+WMW/w/nj1n8P5I/ZvH/aP6YxX+P/DGL/8fyxyz+e+aPWfw/nj9m8f9E/pjFf6/8MYv/J/PHLP57549Z/D+VP2bx/3T+mMV/n/wxi/+++WMW//3yxyz+n8kfs/h/Nn/M4v+5/DGL//75Yxb/A/LHLP6fzx+z+B+YP2bxPyh/zOL/hfwxi//B+WMW/0Pyxyz+X8wfs/h/KX/M4v/l/DGL/1fyxyz+X80fs/h/LX/M4v/1/DGL/zfyxyz+h+aPWfwPyx+z+B+eP2bxPyJ/zOJ/ZP6Yxf+o/DGL/9H5Yxb/Y/LHLP7H5o9Z/I/LH7P4H58/ZvH/Zv6Yxf+E/DGL/4n5Yxb/k/LHLP4n549Z/E/JH7P4fyt/zOL/7fwxi/+p+WMW/9Pyxyz+p+ePWfzPyB+z+H8nf8zif2b+mMX/rPwxi//Z+WMW/+/mj1n8v5c/ZvE/J3/M4n9u/pjF/7z8MYv/+fljFv8L8scs/t/PH7P4/yB/zOL/w/wxi/+P8scs/j/OH7P4/yR/zOJ/Yf6Yxf+i/DGL/0/zxyz+F+ePWfx/lj9m8b8kf8zif2n+mMX/svwxi//l+WMW/yvyxyz+V+aPWfyvyh+z+P88f8zi/4v8MYv/L/PHLP6/yh+z+F+dP2bxvyZ/zOL/6/wxi/9v8scs/tfmj1n8f5s/ZvG/Ln/M4n99/pjF/4b8MYv/7/LHLP435o9Z/G/KH7P435w/ZvH/ff6Yxf8P+WMW/z/mj1n8b8kfs/j/KX/M4n9r/pjF/7b8MYv/7fljFv878scs/n/OH7P435k/ZvG/K3/M4v+X/DGL/935Yxb/v+aPWfz/lj9m8f97/pjF/x/5Yxb/e/LHLP735o9Z/O/LH7P4358/ZvF/IH/M4j8lf8zi/2D+mMX/ofwxi//U/DGJ/1yD/DGL/1D+mMV/VP6YxX+2/DGL/+z5Yxb/0fljFv858scs/nPmj1n858ofs/jPnT9m8Z8nf8ziP2/+mMV/vvwxi//8+WMW/6fkj1n8F8gfs/iPyR+z+C+YP2bxH5s/ZvFfKH/M4r9w/pjF/6n5Yxb/p+WPWfyfnj9m8V8kf8zi/4z8MYv/ovljFv9n5o9Z/J+VP2bxXyx/zOL/7Pwxi/9z8scs/uPyxyz+z80fs/g/L3/M4v/8/DGL/+L5Yxb/JfLHLP4vyB+z+C+ZP2bxXyp/zOL/wvwxi/+L8scs/i/OH7P4vyR/zOK/dP6Yxf+l+WMW/2Xyxyz+y+aPWfyXyx+z+C+fP2bxXyF/zOK/Yv6Yxf9l+WMW/5Xyxyz+K+ePWfxXyR+z+K+aP2bxf3n+mMV/tfwxi//q+WMW/1fkj1n8X5k/ZvF/Vf6YxX98/pjFf0L+mMV/Yv6YxX+N/DGL/5r5Yxb/tfLHLP6T8scs/pPzxyz+a+ePWfzXyR+z+L86f8zi/5r8MYv/uvljFv/18scs/uvnj1n8X5s/ZvHfIH/M4v+6/DGL/4b5Yxb/jfLHLP4b549Z/DfJH7P4vz5/zOK/af6YxX+z/DGL/xvyxyz+b8wfs/i/KX/M4v/m/DGL/1vyxyz+b80fs/i/LX/M4r95/pjFf4v8MYv/lvljFv+3549Z/LfKH7P4b50/ZvHfJn/M4r9t/pjF/x35Yxb/7fLHLP7vzB+z+L8rf8ziv33+mMV/h/wxi/+O+WMW/53yxyz+784fs/i/J3/M4r9z/pjF/735Yxb/XfLHLP7vyx+z+L8/f8zi/4H8MYv/rvljFv/d8scs/rvnj1n8P5g/ZvH/UP6Yxf/D+WMW/4/kj1n8P5o/ZvHfI3/M4v+x/DGL/575Yxb/j+ePWfw/kT9m8d8rf8zi/8n8MYv/3vljFv9P5Y9Z/D+dP2bx3yd/zOK/b/6YxX+//DGL/2fyxyz+n80fs/h/Ln/M4r9//pjF/4D8MYv/5/PHLP4H5o9Z/A/KH7P4fyF/zOJ/cP6Yxf+Q/DGL/xfzxyz+X8ofs/h/OX/M4v+V/DGL/1fzxyz+X8sfs/h/PX/M4v+N/DGL/6H5Yxb/w/LHLP6H549Z/I/IH7P4H5k/ZvE/Kn/M4n90/pjF/5j8MYv/sfljFv/j8scs/sfnj1n8v5k/ZvE/IX/M4n9i/pjF/6T8MYv/yfljFv9T8scs/t/KH7P4fzt/zOJ/av6Yxf+0/DGL/+n5Yxb/M/LHLP7fyR+z+J+ZP2bxPyt/zOJ/dv6Yxf+7+WMW/+/lj1n8z8kfs/ifmz9m8T8vf8zif37+mMX/gvwxi//388cs/j/IH7P4/zB/zOL/o/wxi/+P88cs/j/JH7P4X5g/ZvG/KH/M4v/T/DGL/8X5Yxb/n+WPWfwvyR+z+F+aP2bxvyx/zOJ/ef6Yxf+K/DGL/5X5Yxb/q/LHLP4/zx+z+P8if8zi/8v8MYv/r/LHLP5X549Z/K/JH7P4/zp/zOL/m/wxi/+1+WMW/9/mj1n8r8sfs/hfnz9m8b8hf8zi/7v8MYv/jfljFv+b8scs/jfnj1n8f58/ZvH/Q/6Yxf+P+WMW/1vyxyz+f8ofs/jfmj9m8b8tf8zif3v+mMX/jvwxi/+f88cs/nfmj1n878ofs/j/JX/M4n93/pjF/6/5Yxb/v+WPWfz/nj9m8f9H/pjF/578MYv/vfljFv/78scs/vfnj1n8H8gfs/hPyR+z+D+YP2bxfyh/zOI/NX9M4j/3IH/M4j+UP2bxH5U/ZvGfLX/M4j97/pjFf3T+mMV/jvwxi/+c+WMW/7nyxyz+c+ePWfznyR+z+M+bP2bxny9/zOI/f/6Yxf8p+WMW/wXyxyz+Y/LHLP4L5o9Z/Mfmj1n8F8ofs/gvnD9m8X9q/pjF/2n5Yxb/p+ePWfwXyR+z+D8jf8ziv2j+mMX/mfljFv9n5Y9Z/BfLH7P4Pzt/zOL/nPwxi/+4/DGL/3Pzxyz+z8sfs/g/P3/M4r94/pjFf4n8MYv/C/LHLP5L5o9Z/JfKH7P4vzB/zOL/ovwxi/+L88cs/i/JH7P4L50/ZvF/af6YxX+Z/DGL/7L5Yxb/5fLHLP7L549Z/FfIH7P4r5g/ZvF/Wf6YxX+l/DGL/8r5Yxb/VfLHLP6r5o9Z/F+eP2bxXy1/zOK/ev6Yxf8V+WMW/1fmj1n8X5U/ZvEfnz9m8Z+QP2bxn5g/ZvFfI3/M4r9m/pjFf638MYv/pPwxi//k/DGL/9r5Yxb/dfLHLP6vzh+z+L8mf8ziv27+mMV/vfwxi//6+WMW/9fmj1n8N8gfs/i/Ln/M4r9h/pjFf6P8MYv/xvljFv9N8scs/q/PH7P4b5o/ZvHfLH/M4v+G/DGL/xvzxyz+b8ofs/i/OX/M4v+W/DGL/1vzxyz+b8sfs/hvnj9m8d8if8ziv2X+mMX/7fljFv+t8scs/lvnj1n8t8kfs/hvmz9m8X9H/pjFf7v8MYv/O/PHLP7vyh+z+G+fP2bx3yF/zOK/Y/6YxX+n/DGL/7vzxyz+78kfs/jvnD9m8X9v/pjFf5f8MYv/+/LHLP7vzx+z+H8gf8ziv2v+mMV/t/wxi//u+WMW/w/mj1n8P5Q/ZvH/cP6Yxf8j+WMW/4/mj1n898gfs/h/LH/M4r9n/pjF/+P5Yxb/T+SPWfz3yh+z+H8yf8ziv3f+mMX/U/ljFv9P549Z/PfJH7P475s/ZvHfL3/M4v+Z/DGL/2fzxyz+n8sfs/jvnz9m8T8gf8zi//n8MYv/gfljFv+D8scs/l/IH7P4H5w/ZvE/JH/M4v/F/DGL/5fyxyz+X84fs/h/JX/M4v/V/DGL/9fyxyz+X88fs/h/I3/M4n9o/pjF/7D8MYv/4fljFv8j8scs/kfmj1n8j8ofs/gfnT9m8T8mf8zif2z+mMX/uPwxi//x+WMW/2/mj1n8T8gfs/ifmD9m8T8pf8zif3L+mMX/lPwxi/+38scs/t/OH7P4n5o/ZvE/LX/M4n96/pjF/4z8MYv/d/LHLP5n5o9Z/M/KH7P4n50/ZvH/bv6Yxf97+WMW/3Pyxyz+5+aPWfzPyx+z+J+fP2bxvyB/zOL//fwxi/8P8scs/j/MH7P4/yh/zOL/4/wxi/9P8scs/hfmj1n8L8ofs/j/NH/M4n9x/pjF/2f5Yxb/S/LHLP6X5o9Z/C/LH7P4X54/ZvG/In/M4n9l/pjF/6r8MYv/z/PHLP6/yB+z+P8yf8zi/6v8MYv/1fljFv9r8scs/r/OH7P4/yZ/zOJ/bf6Yxf+3+WOP9h/9ZA/n3+9x/K/LH7Oc/9fnj1n8b8gfs/j/Ln/M4n9j/pjF/6b8MYv/zfljFv/f549Z/P+QP2bx/2P+mMX/lvwxi/+f8scs/rfmj1n8b8sfs/jfnj9m8b8jf8zi/+f8MYv/nfljFv+78scs/n/JH7P4350/ZvH/a/6Yxf9v+WMW/7/nj1n8/5E/ZvG/J3/M4n9v/pjF/778MYv//fljFv8H8scs/lPyxyz+D+aPWfwfyh+z+E/NH5P4zzPIH7P4D+WPWfxH5Y9Z/GfLH7P4z54/ZvEfnT9m8Z8jf8ziP2f+mMV/rvwxi//c+WMW/3nyx/77/ed6+KP8H9t/v/+05pkvf8ziP3/+mMX/KfljFv8F8scs/mPyxyz+C+aPWfzH5o9Z/BfKH7P4L5w/ZvF/av6Yxf9p+WMW/6fnj1n8F8kfs/g/I3/M4r9o/pjF/5n5Yxb/Z+WPWfwXyx+z+D87f8zi/5z8MYv/uPwxi/9z88cs/s/LH7P4Pz9/zOK/eP6YxX+J/DGL/wvyxyz+S+aPWfyXyh+z+L8wf8zi/6L8MYv/i/PHLP4vyR+z+C+dP2bxf2n+mMV/mfwxi/+y+WMW/+Xyxyz+y+ePWfxXyB+z+K+YP2bxf1n+mMV/pfwxi//K+WMW/1Xyxyz+q+aPWfxfnj9m8V8tf8ziv3r+mMX/FfljFv9X5o9Z/F+VP2bxH58/ZvGfkD9m8Z+YP2bxXyN/zOK/Zv6YxX+t/DGL/6T8MYv/5Pwxi//a+WMW/3Xyxyz+r84fs/i/Jn/M4r9u/pjFf738MYv/+vljFv/X5o9Z/DfIH7P4vy5/zOK/Yf6YxX+j/DGL/8b5Yxb/TfLHLP6vzx+z+G+aP2bx3yx/zOL/hvwxi/8b88cs/m/KH7P4vzl/zOL/lvwxi/9b88cs/m/LH7P4b54/ZvHfIn/M4r9l/pjF/+35Yxb/rfLHLP5b549Z/LfJH7P4b5s/ZvF/R/6YxX+7/DGL/zvzxyz+78ofs/hvnz9m8d8hf8ziv2P+mMV/p/wxi/+788cs/u/JH7P475w/ZvF/b/6YxX+X/DGL//vyxyz+788fs/h/IH/M4r9r/pjFf7f8MYv/7vljFv8P5o9Z/D+UP2bx/3D+mMX/I/ljFv+P5o9Z/PfIH7P4fyx/zOK/Z/6Yxf/j+WMW/0/kj1n898ofs/h/Mn/M4r93/pjF/1P5Yxb/T+ePWfz3yR+z+O+bP2bx3y9/zOL/mfwxi/9n88cs/p/LH7P4758/ZvE/IH/M4v/5/DGL/4H5Yxb/g/LHLP5fyB+z+B+cP2bxPyR/zOL/xfwxi/+X8scs/l/OH7P4fyV/zOL/1fwxi//X8scs/l/PH7P4fyN/zOJ/aP6Yxf+w/DGL/+H5Yxb/I/LHLP5H5o9Z/I/KH7P4H50/ZvE/Jn/M4n9s/pjF/7j8MYv/8fljFv9v5o9Z/E/IH7P4n5g/ZvE/KX/M4n9y/pjF/5T8MYv/t/LHLP7fzh+z+J+aP2bxPy1/zOJ/ev6Yxf+M/DGL/3fyxyz+Z+aPWfzPyh+z+J+dP2bx/27+mMX/e/ljFv9z8scs/ufmj1n8z8sfs/ifnz9m8b8gf8zi//38MYv/D/LHLP4/zB+z+P8of8zi/+P8MYv/T/LHLP4X5o9Z/C/KH7P4/zR/zOJ/cf6Yxf9n+WMW/0vyxyz+l+aPWfwvyx+z+F+eP2bxvyJ/zOJ/Zf6Yxf+q/DGL/8/zxyz+v8gfs/j/Mn/M4v+r/DGL/9X5Yxb/a/LHLP6/zh+z+P8mf8zif23+mMX/t/ljFv/r8scs/tfnj1n8b8gfs/j/Ln/M4n9j/pjF/6b8MYv/zfljFv/f549Z/P+QP2bx/2P+mMX/lvwxi/+f8scs/rfmj1n8b8sfs/jfnj9m8b8jf8zi/+f8MYv/nfljFv+78scs/n/JH7P4350/ZvH/a/6Yxf9v+WMW/7/nj1n8/5E/ZvG/J3/M4n9v/pjF/778MYv//fljFv8H8scs/lPyxyz+D+aPWfwfyh+z+E/NH5P4zzvIH7P4D+WPWfxH5Y9Z/GfLH7P4z54/ZvEfnT9m8Z8jf8ziP2f+mMV/rvwxi//c+WMW/3nyxyz+8+aPWfznyx+z+M+fP2bxf0r+mMV/gfwxi/+Y/DGL/4L5Yxb/sfljFv+F8scs/gvnj1n8n5o/ZvF/Wv6Yxf/p+WMW/0Xyxyz+z8gfs/gvmj9m8X9m/pjF/1n5Yxb/xfLHLP7Pzh+z+D8nf8ziPy5/zOL/3Pwxi//z8scs/s/PH7P4L54/ZvFfIn/M4v+C/DGL/5L5Yxb/pfLHLP4vzB+z+L8of8zi/+L8MYv/S/LHLP5L549Z/F+aP2bxXyZ/zOK/bP6YxX+5/DGL//L5Yxb/FfLHLP4r5o9Z/F+WP2bxXyl/zOK/cv6YxX+V/DGL/6r5Yxb/l+ePWfxXyx+z+K+eP2bxf0X+mMX/lfljFv9X5Y9Z/Mfnj1n8J+SPWfwn5o9Z/NfIH7P4r5k/ZvFfK3/M4j8pf8ziPzl/zOK/dv6YxX+d/DGL/6vzxyz+r8kfs/ivmz9m8V8vf8ziv37+mMX/tfljFv8N8scs/q/LH7P4b5g/ZvHfKH/M4r9x/pjFf5P8MYv/6/PHLP6b5o9Z/DfLH7P4vyF/zOL/xvwxi/+b8scs/m/OH7P4vyV/zOL/1vwxi//b8scs/pvnj1n8t8gfs/hvmT9m8X97/pjFf6v8MYv/1vljFv9t8scs/tvmj1n835E/ZvHfLn/M4v/O/DGL/7vyxyz+2+ePWfx3yB+z+O+YP2bx3yl/zOL/7vwxi/978scs/jvnj1n835s/ZvHfJX/M4v++/DGL//vzxyz+H8gfs/jvmj9m8d8tf8ziv3v+mMX/g/ljFv8P5Y9Z/D+cP2bx/0j+mMX/o/lj//X+c017Oe8e+WP/9f7Tm/dj+WMW/z3zxyz+H88fs/h/In/M4r9X/pjF/5P5Yxb/vfPHLP6fyh+z+H86f8ziv0/+mMV/3/wxi/9++WMW/8/kj1n8P5s/ZvH/XP6YxX///DGL/wH5Yxb/z+ePWfwPzB+z+B+UP2bx/0L+mMX/4Pwxi/8h+WMW/y/mj1n8v5Q/ZvH/cv6Yxf8r+WMW/6/mj1n8v5Y/ZvH/ev6Yxf8b+WMW/0Pzxyz+h+WPWfwPzx+z+B+RP2bxPzJ/zOJ/VP6Yxf/o/DGL/zH5Yxb/Y/PHLP7H5Y9Z/I/PH7P4fzN/zOJ/Qv6Yxf/E/DGL/0n5Yxb/k/PHLP6n5I9Z/L+VP2bx/3b+mMX/1Pwxi/9p+WMW/9Pzxyz+Z+SPWfy/kz9m8T8zf8zif1b+mMX/7Pwxi/9388cs/t/LH7P4n5M/ZvE/N3/M4n9e/pjF//z8MYv/BfljFv/v549Z/H+QP2bx/2H+mMX/R/ljFv8f549Z/H+SP2bxvzB/zOJ/Uf6Yxf+n+WMW/4vzxyz+P8sfs/hfkj9m8b80f8zif1n+mMX/8vwxi/8V+WMW/yvzxyz+V+WPWfx/nj9m8f9F/pjF/5f5Yxb/X+WPWfyvzh+z+F+TP2bx/3X+mMX/N/ljFv9r88cs/r/NH7P4X5c/ZvG/Pn/M4n9D/pjF/3f5Yxb/G/PHLP435Y9Z/G/OH7P4/z5/zOL/h/wxi/8f88cs/rfkj1n8/5Q/ZvG/NX/M4n9b/pjF//b8MYv/HfljFv8/549Z/O/MH7P435U/ZvH/S/6Yxf/u/DGL/1/zxyz+f8sfs/j/PX/M4v+P/DGL/z35Yxb/e/PHLP735Y9Z/O/PH7P4P5A/ZvGfkj9m8X8wf8zi/1D+mMV/av6YxH++Qf6YxX8of8ziPyp/zOI/W/6YxX/2/DGL/+j8MYv/HPljFv8588cs/nPlj1n8584fs/jPkz9m8Z83f8ziP1/+mMV//vwxi/9T8scs/gvkj1n8x+SPWfwXzB+z+I/NH7P4L5Q/ZvFfOH/M4v/U/DGL/9Pyxyz+T88fs/gvkj9m8X9G/pjFf9H8MYv/M/PHLP7Pyh+z+C+WP2bxf3b+mMX/OfljFv9x+WMW/+fmj1n8n5c/ZvF/fv6YxX/x/DGL/xL5Yxb/F+SPWfyXzB+z+C+VP2bxf2H+mMX/RfljFv8X549Z/F+SP2bxXzp/zOL/0vwxi/8y+WMW/2Xzxyz+y+WPWfyXzx+z+K+QP2bxXzF/zOL/svwxi/9K+WMW/5Xzxyz+q+SPWfxXzR+z+L88f8ziv1r+mMV/9fwxi/8r8scs/q/MH7P4vyp/zOI/Pn/M4j8hf8ziPzF/zOK/Rv6YxX/N/DGL/1r5Yxb/SfljFv/J+WMW/7Xzxyz+6+SPWfxfnT9m8X9N/pjFf938MYv/evljFv/188cs/q/NH7P4b5A/ZvF/Xf6YxX/D/DGL/0b5Yxb/jfPHLP6b5I9Z/F+fP2bx3zR/zOK/Wf6Yxf8N+WMW/zfmj1n835Q/ZvF/c/6Yxf8t+WMW/7fmj1n835Y/ZvHfPH/M4r9F/pjFf8v8MYv/2/PHLP5b5Y9Z/LfOH7P4b5M/ZvHfNn/M4v+O/DGL/3b5Yxb/d+aPWfzflT9m8d8+f8ziv0P+mMV/x/wxi/9O+WMP+29z8n+1/7vzxyzn/3vyxyz+O+ePWfzfmz9m8d8lf8zi/778MYv/+/PHLP4fyB+z+O+aP2bx3y1/zOK/e/6Yxf+D+WMW/w/lj1n8P5w/ZvH/SP6Yxf+j+WMW/z3yxyz+H8sfs/jvmT9m8f94/pjF/xP5Yxb/vfLHLP6fzB+z+O+dP2bx/1T+mMX/0/ljFv998scs/vvmj1n898sfs/h/Jn/M4v/Z/DGL/+fyxyz+++ePWfwPyB+z+H8+f8zif2D+mMX/oPwxi/8X8scs/gfnj1n8D8kfs/h/MX/M4v+l/DGL/5fzxyz+X8kfs/h/NX/M4v+1/DGL/9fzxyz+38gfs/gfmj9m8T8sf8zif3j+mMX/iPwxi/+R+WMW/6Pyxyz+R+ePWfyPyR+z+B+bP2bxPy5/zOJ/fP6Yxf+b+WMW/xPyxyz+J+aPWfxPyh+z+J+cP2bxPyV/zOL/rfwxi/+388cs/qfmj1n8T8sfs/ifnj9m8T8jf8zi/538MYv/mfljFv+z8scs/mfnj1n8v5s/ZvH/Xv6Yxf+c/DGL/7n5Yxb/8/LHLP7n549Z/C/IH7P4fz9/zOL/g/wxi/8P88cs/j/KH7P4/zh/zOL/k/wxi/+F+WMW/4vyxyz+P80fs/hfnD9m8f9Z/pjF/5L8MYv/pfljFv/L8scs/pfnj1n8r8gfs/hfmT9m8b8qf8zi//P8MYv/L/LHLP6/zB+z+P8qf8zif3X+mMX/mvwxi/+v88cs/r/JH7P4X5s/ZvH/bf6Yxf+6/DGL//X5Yxb/G/LHLP6/yx+z+N+YP2bxvyl/zOJ/c/6Yxf/3+WMW/z/kj1n8/5g/ZvG/JX/M4v+n/DGL/635Yxb/2/LHLP63549Z/O/IH7P4/zl/zOJ/Z/6Yxf+u/DGL/1/yxyz+d+ePWfz/mj9m8f9b/pjF/+/5Yxb/f+SPWfzvyR+z+N+bP2bxvy9/zOJ/f/6Yxf+B/DGL/5T8MYv/g/ljFv+H8scs/lPzxyT+8w/yxyz+Q/ljFv9R+WMW/9nyxyz+s+ePWfxH549Z/OfIH7P4z5k/ZvGfK3/M4j93/pjFf578MYv/vPljFv/58scs/vPnj1n8n5I/ZvFfIH/M4j8mf8ziv2D+mMV/bP6YxX+h/DGL/8L5Yxb/p+aPWfyflj9m8X96/pjFf5H8MYv/M/LHLP6L5o9Z/J+ZP2bxf1b+mMV/sfwxi/+z88cs/s/JH7P4j8sfs/g/N3/M4v+8/DGL//Pzxyz+i+ePWfyXyB+z+L8gf8ziv2T+mMV/qfwxi/8L88cs/i/KH7P4vzh/zOL/kvwxi//S+WMW/5fmj1n8l8kfs/gvmz9m8V8uf8ziv3z+mMV/hfwxi/+K+WMW/5flj1n8V8ofs/ivnD9m8V8lf8ziv2r+mMX/5fljFv/V8scs/qvnj1n8X5E/ZvF/Zf6Yxf9V+WMW//H5Yxb/CfljFv+J+WMW/zXyxyz+a+aPWfzXyh+z+E/KH7P4T84fs/ivnT9m8V8nf8zi/+r8MYv/a/LHLP7r5o9Z/NfLH7P4r58/ZvF/bf6YxX+D/DGL/+vyxyz+G+aPWfw3yh+z+G+cP2bx3yR/zOL/+vwxi/+m+WMW/83yxyz+b8gfs/i/MX/M4v+m/DGL/5vzxyz+b8kfs/i/NX/M4v+2/DGL/+b5Yxb/LfLHLP5b5o9Z/N+eP2bx3yp/zOK/df6YxX+b/DGL/7b5Yxb/d+SPWfy3yx+z+L8zf8zi/678MYv/9vljFv8d8scs/jvmj1n8d8ofs/i/O3/M4v+e/DGL/875Yxb/9+aPWfx3yR+z+L8vf8zi//78MYv/B/LHLP675o9Z/HfLH7P4754/ZvH/YP6Yxf9D+WMW/w/nj1n8P5I/ZvH/aP6YxX+P/DGL/8fyxyz+e+aPWfw/nj9m8f9E/pjFf6/8MYv/J/PHLP57549Z/D+VP2bx/3T+mMV/n/wxi/+++WMW//3yxyz+n8kfs/h/Nn/M4v+5/DGL//75Yxb/A/LHLP6fzx+z+B+YP2bxPyh/zOL/hfwxi//B+WMW/0Pyxyz+X8wfs/h/KX/M4v/l/DGL/1fyxyz+X80fs/h/LX/M4v/1/DGL/zfyxyz+h+aPWfwPyx+z+B+eP2bxPyJ/zOJ/ZP6Yxf+o/DGL/9H5Yxb/Y/LHLP7H5o9Z/I/LH7P4H58/ZvH/Zv6Yxf+E/DGL/4n5Yxb/k/LHLP4n549Z/E/JH7P4fyt/zOL/7fwxi/+p+WMW/9Pyxyz+p+ePWfzPyB+z+H8nf8zif2b+mMX/rPwxi//Z+WMW/+/mj1n8v5c/ZvE/J3/M4n9u/pjF/7z8MYv/+fljFv8L8scs/t/PH7P4/yB/zOL/w/wxi/+P8scs/j/OH7P4/yR/zOJ/Yf6Yxf+i/DGL/0/zxyz+F+ePWfx/lj9m8b8kf8zif2n+mMX/svwxi//l+WMW/yvyxyz+V+aPWfyvyh+z+P88f8zi/4v8MYv/L/PHLP6/yh+z+F+dP2bxvyZ/zOL/6/wxi/9v8scs/tfmj1n8f5s/ZvG/Ln/M4n99/pjF/4b8MYv/7/LHLP435o9Z/G/KH7P435w/ZvH/ff6Yxf8P+WMW/z/mj1n8b8kfs/j/KX/M4n9r/pjF/7b8MYv/7fljFv878scs/n/OH7P435k/ZvG/K3/M4v+X/DGL/935Yxb/v+aPWfz/lj9m8f97/pjF/x/5Yxb/e/LHLP735o9Z/O/LH7P4358/ZvF/IH/M4j8lf8zi/2D+mMX/ofwxi//U/DGJ/1MG+WMW/6H8MYv/qPwxi/9s+WMW/9nzxyz+o/PHLP5z5I9Z/OfMH7P4z5U/ZvGfO3/M4j9P/pjFf978MYv/fPljFv/588cs/k/JH7P4L5A/ZvEfkz9m8V8wf8ziPzZ/zOK/UP6YxX/h/DGL/1Pzxyz+T8sfs/g/PX/M4r9I/pjF/xn5Yxb/RfPHLP7PzB+z+D8rf8ziv1j+mMX/2fljFv/n5I9Z/Mflj1n8n5s/ZvF/Xv6Yxf/5+WMW/8Xzxyz+S+SPWfxfkD9m8V8yf8ziv1T+mMX/hfljFv8X5Y9Z/F+cP2bxf0n+mMV/6fwxi/9L88cs/svkj1n8l80fs/gvlz9m8V8+f8ziv0L+mMV/xfwxi//L8scs/ivlj1n8V84fs/ivkj9m8V81f8zi//L8MYv/avljFv/V88cs/q/IH7P4vzJ/zOL/qvwxi//4/DGL/4T8MYv/xPwxi/8a+WMW/zVF/nP9C+ta/NcS+f8rWfwn5Y9Z/Cfnj1n8184fs/ivkz9m8X91/pjF/zX5Yxb/dfPHLP7r5Y9Z/NfPH7P4vzZ/zOK/Qf6Yxf91+WMW/w3zxyz+G+WPWfw3zh+z+G+SP2bxf33+mMV/0/wxi/9m+WMW/zfkj1n835g/ZvF/U/6Yxf/N+WMW/7fkj1n835o/ZvF/W/6YxX/z/DGL/xb5Yxb/LfPHLP5vzx+z+G+VP2bx3zp/zOK/Tf6YxX/b/DGL/zvyxyz+2+WPWfzfmT9m8X9X/pjFf/v8MYv/DvljFv8d88cs/jvlj1n8350/ZvF/T/6YxX/n/DGL/3vzxyz+u+SPWfzflz9m8X9//pjF/wP5Yxb/XfPHLP675Y9Z/HfPH7P4f/CJ/Rf4fz6u/6NZ/D/U+Y9Z/D+cP2bx/0j+mMX/o/ljFv898scs/h/LH7P475k/ZvH/eP6Yxf8T+WMW/73yxyz+n8wfs/jvnT9m8f9U/pjF/9P5Yxb/ffLHLP775o9Z/PfLH7P4fyZ/zOL/2fwxi//n8scs/vvnj1n8D8gfs/h/Pn/M4n9g/pjF/6D8MYv/F/LHLP4H549Z/A/JH7P4fzF/zOL/pfwxi/+X88cs/l/JH7P4fzV/zOL/tfwxi//X88cs/t/IH7P4H5o/ZvE/LH/M4n94/pjF/4j8MYv/kfljFv+j8scs/kfnj1n8j8kfs/gfmz9m8T8uf8zif3z+mMX/m/ljFv8T8scs/ifmj1n8T8ofs/ifnD9m8T8lf8zi/638MYv/t/PHLP6n5o9Z/E/LH7P4n54/ZvE/I3/M4v+d/DGL/5n5Yxb/s/LHLP5n549Z/L+bP2bx/17+mMX/nPwxi/+5+WMW//Pyxyz+5+ePWfwvyB+z+H8/f8zi/4P8MYv/D/PHLP4/yh+z+P84f8zi/5P8MYv/hfljFv+L8scs/j/NH7P4X5w/ZvH/Wf6Yxf+S/DGL/6X5Yxb/y/LHLP6X549Z/K/IH7P4X5k/ZvG/Kn/M4v/z/DGL/y/yxyz+v8wfs/j/Kn/M4n91/pjF/5r8MYv/r/PHLP6/yR+z+F+bP2bx/23+mMX/uvwxi//1+WMW/xvyxyz+v8sfs/jfmD9m8b8pf8zif3P+mMX/9/ljFv8/5I9Z/P+YP2bxvyV/zOL/p/wxi/+t+WMW/9vyxyz+t+ePWfzvyB+z+P85f8zif2f+mMX/rvwxi/9f8scs/nfnj1n8/5o/ZvH/W/6Yxf/v+WMW/3/kj1n878kfs/jfmz9m8b8vf8zif3/+mMX/gfwxi/+U/DGL/4P5Yxb/h/LHLP5T88ck/gsM8scs/kP5Yxb/UfljFv/Z8scs/rPn/6hmG3m2+I/OH7P4z5E/ZvGfM3/M4j9X/pjFf+78MYv/PPljFv9588cs/vPlj1n8588fs/g/JX/M4r9A/pjFf0z+mMV/wfwxi//Y/DGL/0L5Yxb/hfPHLP5PzR+z+D8tf8zi//T8MYv/IvljFv9n5I9Z/BfNH7P4PzN/zOL/rPwxi/9i+WMW/2fnj1n8n5M/ZvEflz9m8X9u/pjF/3n5Yxb/5+ePWfwXzx+z+C+RP2bxf0H+mMV/yfwxi/9S+WMW/xfmj1n8X5Q/ZvF/cf6Yxf8l+WMW/6Xzxyz+L80fs/gvkz9m8V82f8ziv1z+mMV/+fwxi/8K+WMW/xXzxyz+L8sfs/ivlD9m8V85f8ziv0r+mMV/1fwxi//L88cs/qvlj1n8V88fs/i/In/M4v/K/DGL/6vyxyz+4/PHLP4T8scs/hPzxyz+a+SPWfzXzB+z+K+VP2bxn5Q/ZvGfnD9m8V87f8ziv07+mMX/1fljFv/X5I9Z/NfNH7P4r5c/ZvFfP3/M4v/a/DGL/wb5Yxb/1+WPWfw3zB+z+G+UP2bx3zh/zOK/Sf6Yxf/1+WMW/03zxyz+m+WPWfzfkD9m8X9j/pjF/035Yxb/N+ePWfzfkj9m8X9r/pjF/235Yxb/zfPHLP5b5I9Z/LfMH7P4vz1/zOK/Vf6YxX/r/DGL/zb5Yxb/bfPHLP7vyB+z+G+XP2bxf2f+mMX/XfljFv/t88cs/jvkj1n8d8wfs/jvlD9m8X93/pjF/z35Yxb/nfPHLP7vzR+z+O+SP2bxf1/+mMX//fljFv8P5I9Z/HfNH7P475Y/ZvHfPX/M4v/B/DGL/4fyxyz+H84fs/h/JP//j316ygLEYGAw+pvF1LZt27Zt2+7Utj21bdu2bdveQM7pe3PvFr4kauk/UP+opf8e+kct/ffUP2rpv5f+UUv/vfWPWvrvo3/U0n9f/aOW/vvpH7X031//qKX/AfpHLf0P1D9q6X+Q/lFL/4P1j1r6H6J/1NL/UP2jlv6H6R+19D9c/6il/xH6Ry39j9Q/aul/lP5RS/+j9Y9a+h+jf9TS/1j9o5b+x+kftfQ/Xv+opf8J+kct/U/UP2rpf5L+UUv/k/WPWvqfon/U0v9U/aOW/qfpH7X0H6R/1NL/dP2jlv5n6B+19D9T/6il/1n6Ry39z9Y/aul/jv5RS/9z9Y9a+p+nf9TS/3z9o5b+F+gftfS/UP+opf9F+kct/S/WP2rpf4n+UUv/S/WPWvpfpn/U0v9y/aOW/lfoH7X0v1L/qKX/VfpHLf2v1j9q6X+N/lFL/2v1j1r6X6d/1NL/ev2jlv436B+19L9R/6il/036Ry39b9Y/aul/i/5RS/9b9Y9a+t+mf9TS/3b9o5b+d+gftfS/U/+opf9d+kct/e/WP2rpf4/+UUv/e/WPWvrfp3/U0v9+/aOW/g/oH7X0f1D/qKX/Q/pHLf0f1j9q6f+I/lFL/0f1j1r6P6Z/1NL/cf2jlv5P6B+19H9S/6il/1P6Ry39n9Y/aun/jP5RS/9n9Y9a+j+nf9TS/3n9o5b+L+gftfR/Uf+opf9L+kct/V/WP2rp/4r+UUv/V/WPWvq/pn/U0v91/aOW/m/oH7X0f1P/qKX/W/pHLf3f1j9q6f+O/lFL/3f1j1r6v6d/1NL/ff2jlv4f6B+19P9Q/6il/0f6Ry39P9Y/aun/if5RS/9P9Y9a+n+mf9TS/3P9o5b+X+gftfT/Uv+opf9X+kct/b/WP2rp/43+UUv/b/WPWvp/p3/U0v97/aOW/j/oH7X0/1H/qKX/T/pHLf1/1j9q6f+L/lFL/1/1j1r6/6Z/VNJ/wF/0j1r6/1X/qKX/3/SPWvr/Xf+opf8/9I9a+v9T/6il/7/+oP+g0nG09P+3/0ct/f+jf9TS/7/6Ry39/6d/1NL///pHLf0H0z9q6T+4/lFL/yH0j1r6D6l/1NJ/gP5RS/+h9I9a+g+tf9TSfxj9o5b+w+oftfQfTv+opf/w+kct/UfQP2rpP6L+UUv/kfSPWvqPrH/U0n8U/aOW/qPqH7X0H03/qKX/6PpHLf3H0D9q6T+m/lFL/7H0j1r6j61/1NJ/HP2jlv7j6h+19B9P/6il//j6Ry39J9A/auk/of5RS/+J9I9a+k+sf9TSfxL9o5b+k+oftfSfTP+opf/k+kct/afQP2rpP6X+UUv/qfSPWvpPrX/U0n8a/aOW/tPqH7X0n07/qKX/9PpHLf1n0D9q6T+j/lFL/5n0j1r6z6x/1NJ/Fv2jlv6z6h+19J9N/6il/+z6Ry3959A/auk/p/5RS/+59I9a+s+tf9TSfx79o5b+8+oftfSfT/+opf/8+kct/RfQP2rpv6D+UUv/hfSPWvovrH/U0n8R/aOW/ovqH7X0X0z/qKX/4vpHLf2X0D9q6b+k/lFL/6X0j1r6L61/1NJ/Gf2jlv7L6h+19F9O/6il//L6Ry39V9A/aum/ov5RS/+V9I9a+q+sf9TSfxX9o5b+q+oftfRfTf+opf/q+kct/dfQP2rpv6b+UUv/tfSPWvqvrX/U0n8d/aOW/uvqH7X0X0//qKX/+vpHLf030D9q6b+h/lFL/430j1r6b6x/1NJ/E/2jlv6b6h+19N9M/6il/+b6Ry39t9A/aum/pf5RS/+t9I9a+m+tf9TSfxv9o5b+2+oftfTfTv+opf/2+kct/XfQP2rpv6P+UUv/nfSPWvrvrH/U0n8X/aOW/rvqH7X0303/qKX/7vpHLf0H6h/96foDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/M6+vcfWWRZwHH+7rWNMTEZccBmaMHlQSITZ7pLxB2GTsa0OunEfAxy7dGOj3WbXYVfAXf6YRAgXSSZZokTZMpQwExqJgWAFEQ26qIkGL4AoRNE4EYJuiYs1pz2ntIe2WZ/6PIvw+fzRc95z9nvXNvn2fRsYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8P+roXHe4bE1A14a2//go4eaeh5nHll20/4/dl1QeSy/vXiQU47pf9Dd3d0989kZ28uHJxVFUfrbdpSPJ1SPS+ffUf+V9t6jMLfrxYXHJv268fD+Vac+XNd55L7anldrixvXrm9u+tSYoggX1RbtpYO6mqIIC2qLe0sH9aWDhbXFw6WDGT0HJxffLx2ct3pT85rSC4uiv2fwXtHQuKMYO6DYYsBPg/7976j/3h2Vx2FOWTnbuKLc/+UdP36z6r2KIfqvnD/Mq+5/xF8gMKSR9f/83MrjMKd81/V/4pPLXx7svaH7r5w/fFr/kM4g9/8DGq2+7688jh/6lH37K2s6jpX6v+TWZ6aVXxp3PPf/7/x+ES6q7n/MgPv/0n38/Mr9/0lFES4ezfcC3m8aGnceHu76P1T/ve+Om1q1qenf/2mtm/aV+n9s4Y8eL79UO8L+5w9z/R+zqOpzBUamofHr3VXX/xH0X3xikFP29f/W479/qNT/o3++//R+742k/4ur+5/e1rJ5+pZtHeeub1m5rmld08a6GXNmzq6vm33+rOk9twS9H0f5XYH3h9Fd/4uJVZuaomjq21/duf+pUv+zHnhgZvmlCSPsf8Gw1/8zXP9hUB8bU4wfX7SvbGtrrev9WDms7/3Y+8cG6f+4fv/vfffMs8t/rLb8WFMUU/r2d55+19JS/28ffGZX+aXxI+x/4bD9z+37e4EIo7z+r6naDOj/wMEXe+7/F99z4LTySyP9/X/RsP2/4voPo9HQWPU//PyPlfrfWVwa2Wlo8N//IJ0c/T/69vVdcevwGf1DOjn6/9OXjpwTtw6L9Q/p5Oh/3Ib7n4tbh0v0D+nk6H/J5DlL49bhUv1DOjn6X/3KOX+PW4dG/UM6Ofo/+2u72uPWYYn+IZ0c/T/YOnNr3Dos1T+kk6P/X57y4Ktx63CZ/iGdHP0fPXr3DXHrcLn+IZ0c/XfuPusncetwhf4hnRz9X7Z2Xohbhyv1D+nk6H/qlL8+FrcOV+kf0snR/+y//fuUuHW4Wv+QTo7+b//y0r1x63CN/iGdHP2Pve7lF+LWYZn+IZ0c/S86a+u8uHW4Vv+QTo7+1/xiTXfcOizXP6STo//p3/7Z+rh1uE7/kE6O/g8teWR33Dpcr39IJ0f/u+uKSXHrcIP+IZ0c/X/rh6cejFuHz+of0snR/x+efGJO3Dqs0D+kk6P/Zz9y23fi1uFG/UM6Ofq/Z9ULZ8atw0r9Qzo5+n9oz3NfjVuHVfqHdHL0//rrLR+IW4fV+od0cvQ/ccLJr8Wtwxr9Qzo5+p93yzda49ahSf+QTo7+W3Z1/jRuHdbqH9LJ0f/Hj01ZHrcO6/QP6eTof9msPR+OW4eb9A/p5Oj/Q4sv2Bm3Duv1D+nk6P/Crk9eGLcOG/QP6eTov+3pL34zbh1u1j+kk6P/PdNeXRC3Ds36h3Ry9P/SikU/j1uHFv1DOjn6f/ORazfGrcNG/UM6Ofp/4ldvHY1bh036h3Ry9P/B8+f/M24dNusf0snR/4KFb6yOW4fP6R/SydH/hs7/vBS3Dq36h3Ry9D/t0FWL49Zhi/4hnRz9/+Dcun1x69Cmf0gnR/93XLG3Pm4dtuof0snR/74Dd94Vtw636B/SydH/G785Y2rcOnxe/5BOjv7vm3Twmrh1aNc/pJOj/99urH06bh226R/SydH/v/ZO3h63Dh36h3Ry9P/Ua11/iVuHW/UP6eTof8W4341/9zs1x7EOt+kf0snR/+SOzffGrcPt+od0cvQ/5+6V58Wtwxf0D+nk6H/LP57/btw6bNc/pLNlW8fNK5ubm1o98cQTT/qenOifTEBq70R/oj8TAAAAAAAAAAAAAABgKDn+OdGJ/hoBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgv+zAgQAAAAAAkP9rI1RVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVhB44FAAAAAIT5WwfRuwEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfAQAA//+tJOI+")
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933,
&(0x7f0000000100)={'veth1_to_team\x00'})
openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0,
&(0x7f0000000000)={0x0}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x101100, 0x0)
r2 = add_key$fscrypt_provisioning(0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff)
keyctl$read(0xb, r2, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x4)
openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x22442, 0xa)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x3c, &(0x7f0000000040)=0x1, 0x4)
setsockopt$inet_tcp_TCP_REPAIR(0xffffffffffffffff, 0x6, 0x13,
&(0x7f00000000c0)=0x1, 0x4)
sendmmsg$inet(0xffffffffffffffff, &(0x7f00000060c0)=[{{0x0, 0x0,
&(0x7f0000000b00)=[{&(0x7f0000000140)="40024193d1", 0x5}], 0x1}},
{{0x0, 0x0, 0x0}}], 0x2, 0x4000000)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67,
&(0x7f0000000180)={0x0, 0xd000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

We used the syzbot kernel config to compile kernel and reproduce the
bug (https://syzkaller.appspot.com/text?tag=KernelConfig&x=6ee9072e2455c395).

If you have any other question, please let me know!

Best Regards,
Yue Sun

[Darrick J. Wong]

On Thu, Feb 12, 2026 at 08:46:42PM +0800, Sam Sun wrote:
> Dear developers and maintainers,
>
> We encountered a slab-use-after-free bug while using our modified
> syzkaller. This bug is successfully reproduced on kernel commit
> 37a93dd5c49b5fda807fd204edf2547c3493319c. Kernel crash log is listed
> below.

Oh good, yet ANOTHER person running their own private syzbot instance,
not using the existing syzbot dashboard, and dumping a zeroday exploit
on a public mailing list.

Why do I keep saying this same damn thing over and over?

Yes, I do have a question: What code change do you propose to *fix*
this problem?

--D

[Sam Sun]

On Fri, Feb 13, 2026 at 12:02 AM Darrick J. Wong <djw...@kernel.org> wrote:
>
> On Thu, Feb 12, 2026 at 08:46:42PM +0800, Sam Sun wrote:
> > Dear developers and maintainers,
> >
> > We encountered a slab-use-after-free bug while using our modified
> > syzkaller. This bug is successfully reproduced on kernel commit
> > 37a93dd5c49b5fda807fd204edf2547c3493319c. Kernel crash log is listed
> > below.
>
> Oh good, yet ANOTHER person running their own private syzbot instance,
> not using the existing syzbot dashboard, and dumping a zeroday exploit
> on a public mailing list.
>
> Why do I keep saying this same damn thing over and over?
>
> Yes, I do have a question: What code change do you propose to *fix*
> this problem?
>
> --D
>

Hi Darrick,

I’m sorry for the noise and for handling this poorly.

The bug appears to be a lifetime mismatch between asynchronous fserror
reporting and temporary XFS inode teardown paths.
xfs_inode_mark_sick/corrupt always trigger inode-scoped async fserror
reporting. That reporting queues work and later does
iput(event->inode) in worker context. But in some paths (e.g.
temporary inode construction/failure paths such as xfs_iget_cache_miss
error handling), the inode can be destroyed directly before the queued
work runs, which can lead to UAF when the worker later touches or puts
that inode.

I added a check in xfs_inode_mark_sick and xfs_inode_mark_corrupt, and
only do inode-scoped fserror reporting if the inode looks
stable/published (not unhashed, not in
I_NEW/I_WILL_FREE/I_FREEING/I_CLEAR). Otherwise, fall back to
superblock-scoped metadata error reporting. This keeps error reporting
but avoids queuing async inode events for short-lived/teardown inodes.

Could you please check if this fix would apply?

diff --git a/fs/xfs/xfs_health.c b/fs/xfs/xfs_health.c
index 169123772cb3..d7c5e97801bf 100644
--- a/fs/xfs/xfs_health.c
+++ b/fs/xfs/xfs_health.c
@@ -38,6 +38,37 @@ xfs_health_unmount_group(
}
}
+static bool
+xfs_inode_can_report_file_error(
+ struct inode *inode)
+{
+ enum inode_state_flags_enum state;
+ bool ok;
+
+ spin_lock(&inode->i_lock);
+ state = inode_state_read(inode);
+ ok = !inode_unhashed(inode) &&
+ !(state & (I_NEW | I_WILL_FREE | I_FREEING | I_CLEAR));
+ if (ok)
+ inode_state_clear(inode, I_DONTCACHE);
+ spin_unlock(&inode->i_lock);
+
+ return ok;
+}
+
+static void
+xfs_report_inode_corruption(
+ struct xfs_inode *ip)
+{
+ struct inode *inode = VFS_I(ip);
+
+ if (xfs_inode_can_report_file_error(inode))
+ fserror_report_file_metadata(inode, -EFSCORRUPTED, GFP_NOFS);
+ else
+ fserror_report_metadata(ip->i_mount->m_super, -EFSCORRUPTED,
+ GFP_NOFS);
+}
+
/*
* Warn about metadata corruption that we detected but haven't fixed, and
* make sure we're not sitting on anything that would get in the way of
@@ -330,16 +361,7 @@ xfs_inode_mark_sick(
ip->i_sick |= mask;
spin_unlock(&ip->i_flags_lock);
- /*
- * Keep this inode around so we don't lose the sickness report. Scrub
- * grabs inodes with DONTCACHE assuming that most inode are ok, which
- * is not the case here.
- */
- spin_lock(&VFS_I(ip)->i_lock);
- inode_state_clear(VFS_I(ip), I_DONTCACHE);
- spin_unlock(&VFS_I(ip)->i_lock);
-
- fserror_report_file_metadata(VFS_I(ip), -EFSCORRUPTED, GFP_NOFS);
+ xfs_report_inode_corruption(ip);
if (mask)
xfs_healthmon_report_inode(ip, XFS_HEALTHMON_SICK, old_mask,
mask);
@@ -362,16 +384,7 @@ xfs_inode_mark_corrupt(
ip->i_checked |= mask;
spin_unlock(&ip->i_flags_lock);
- /*
- * Keep this inode around so we don't lose the sickness report. Scrub
- * grabs inodes with DONTCACHE assuming that most inode are ok, which
- * is not the case here.
- */
- spin_lock(&VFS_I(ip)->i_lock);
- inode_state_clear(VFS_I(ip), I_DONTCACHE);
- spin_unlock(&VFS_I(ip)->i_lock);
-
- fserror_report_file_metadata(VFS_I(ip), -EFSCORRUPTED, GFP_NOFS);
+ xfs_report_inode_corruption(ip);
if (mask)
xfs_healthmon_report_inode(ip, XFS_HEALTHMON_CORRUPT, old_mask,
mask);


Also, for future reports like this, what is the preferred process?
Should I report privately first (e.g. to kernel security) before
posting publicly when a bug might have exploitation potential?

Sorry again, and thanks for the direct feedback.

Best Regards,
Yue

[Darrick J. Wong]

This is neither xfs nor kernel coding style.

> + enum inode_state_flags_enum state;
> + bool ok;
> +
> + spin_lock(&inode->i_lock);
> + state = inode_state_read(inode);
> + ok = !inode_unhashed(inode) &&
> + !(state & (I_NEW | I_WILL_FREE | I_FREEING | I_CLEAR));

I don't like the idea of looking at VFS state in XFS code, surely this
belongs in fserror_report itself?

The problem you have here (guessing from the stack trace because again a
log of strace calls is NOT a reproducer!) is that xfs_iget_cache_miss
allocates a new xfs_inode (which doesn't set XFS_INEW), trips over a
corruption error, and passes the xfs_inode to xfs_inode_mark_sick.

_mark_sick then passes it to fserror_report, which it shouldn't do
because the xfs_inode hasn't been set up with vfs state yet. IOWs,
the XFS side of the fix should probably be setting XFS_INEW earlier
and not passing inodes to fserror_report if they've XFS_INEW (or
RECLAIM) set.

On the VFS side of things, fserror_report should clarify that it must
only be passed active inodes (aka ones that don't have
I_NEW/I_FREEING/I_WILL_FREE set), at which point it could probably
increment inode::i_count on its own instead of calling igrab, which
would fix the lockdep spew that hch reported earlier this morning.

Also xfs shouldn't be passing metadata inodes into the VFS because
there's nothing good that can come from telling userspace about file
errors for a file that it cannot ever open.

IOWs, I think this is a better alternative:


static inline void xfs_inode_report_fserror(struct xfs_inode *ip)
{
/*
* Do not report inodes being constructed or freed, or metadata
* inodes, to fsnotify.
*/
if (xfs_iflags_test(ip, XFS_INEW | XFS_IRECLAIM) ||
xfs_is_internal_inode(ip)) {
fserror_report_metadata(ip->i_mount->m_super, -EFSCORRUPTED,
GFP_NOFS);
return;
}

fserror_report_file_metadata(VFS_I(ip), -EFSCORRUPTED, GFP_NOFS);

}

> + if (ok)
> + inode_state_clear(inode, I_DONTCACHE);

Why is clearing I_DONTCACHE now conditional?

Do not delete explanatory comments.

> - */
> - spin_lock(&VFS_I(ip)->i_lock);
> - inode_state_clear(VFS_I(ip), I_DONTCACHE);
> - spin_unlock(&VFS_I(ip)->i_lock);
> -
> - fserror_report_file_metadata(VFS_I(ip), -EFSCORRUPTED, GFP_NOFS);
> + xfs_report_inode_corruption(ip);

It's not good practice for a function to contain hidden side effects
that aren't even hinted at in the name/comment.

> if (mask)
> xfs_healthmon_report_inode(ip, XFS_HEALTHMON_SICK, old_mask,
> mask);
> @@ -362,16 +384,7 @@ xfs_inode_mark_corrupt(
> ip->i_checked |= mask;
> spin_unlock(&ip->i_flags_lock);
> - /*
> - * Keep this inode around so we don't lose the sickness report. Scrub
> - * grabs inodes with DONTCACHE assuming that most inode are ok, which
> - * is not the case here.
> - */
> - spin_lock(&VFS_I(ip)->i_lock);
> - inode_state_clear(VFS_I(ip), I_DONTCACHE);
> - spin_unlock(&VFS_I(ip)->i_lock);
> -
> - fserror_report_file_metadata(VFS_I(ip), -EFSCORRUPTED, GFP_NOFS);
> + xfs_report_inode_corruption(ip);
> if (mask)
> xfs_healthmon_report_inode(ip, XFS_HEALTHMON_CORRUPT, old_mask,
> mask);
>
>
> Also, for future reports like this, what is the preferred process?
> Should I report privately first (e.g. to kernel security) before
> posting publicly when a bug might have exploitation potential?

As I said in the last email, don't run your own private syzbot instance
that makes triaging difficult because it doesn't integrate with the
syzkaller dashboards.

I'm really sick of saying this over and over again.

--D

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: dc855b77719f Merge tag 'irq-drivers-2026-02-09' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d8ccaa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3f400265d9837ec
dashboard link: https://syzkaller.appspot.com/bug?extid=fbf6ff30de890ff32ec5
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173a5b22580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1648d7fa580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-dc855b77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9b3fb6cba25b/vmlinux-dc855b77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1e986cdef5ea/bzImage-dc855b77.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e278523ff18b/mount_1.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1599365a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fbf6ff...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in inode_state_read_once include/linux/fs.h:884 [inline]
BUG: KASAN: slab-use-after-free in iput+0x3a7/0xe80 fs/inode.c:1977
Read of size 4 at addr ffff88800ba8efb8 by task kworker/0:2/54

CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events fserror_worker
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
inode_state_read_once include/linux/fs.h:884 [inline]
iput+0x3a7/0xe80 fs/inode.c:1977
fserror_worker+0x230/0x350 fs/fserror.c:69
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

Allocated by task 5498:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_lru_noprof+0x35f/0x6c0 mm/slub.c:5282
xfs_inode_alloc+0x7e/0x710 fs/xfs/xfs_icache.c:97
xfs_iget_cache_miss fs/xfs/xfs_icache.c:635 [inline]
xfs_iget+0xa85/0x2ce0 fs/xfs/xfs_icache.c:799
xfs_lookup+0x321/0x630 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x130/0x200 fs/xfs/xfs_iops.c:327
__lookup_slow+0x2b7/0x410 fs/namei.c:1916
lookup_slow+0x53/0x70 fs/namei.c:1933
ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline]
ovl_lookup_single+0x32f/0xea0 fs/overlayfs/namei.c:254
ovl_lookup_layer+0x377/0x450 fs/overlayfs/namei.c:359
ovl_lookup_layers fs/overlayfs/namei.c:1103 [inline]
ovl_lookup+0x5f2/0x1c80 fs/overlayfs/namei.c:1397
lookup_one_qstr_excl+0x131/0x360 fs/namei.c:1805
__start_renaming+0x1db/0x410 fs/namei.c:3862
filename_renameat2+0x38c/0x9c0 fs/namei.c:6119
__do_sys_renameat2 fs/namei.c:6173 [inline]
__se_sys_renameat2+0x5a/0x2c0 fs/namei.c:6168
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5498:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6674 [inline]
kmem_cache_free+0x195/0x610 mm/slub.c:6789
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

Last potentially related work creation:

kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3131 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
xfs_iget_cache_miss fs/xfs/xfs_icache.c:740 [inline]
xfs_iget+0xb01/0x2ce0 fs/xfs/xfs_icache.c:799
xfs_lookup+0x321/0x630 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x130/0x200 fs/xfs/xfs_iops.c:327
__lookup_slow+0x2b7/0x410 fs/namei.c:1916
lookup_slow+0x53/0x70 fs/namei.c:1933
ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline]
ovl_lookup_single+0x32f/0xea0 fs/overlayfs/namei.c:254
ovl_lookup_layer+0x377/0x450 fs/overlayfs/namei.c:359
ovl_lookup_layers fs/overlayfs/namei.c:1103 [inline]
ovl_lookup+0x5f2/0x1c80 fs/overlayfs/namei.c:1397
lookup_one_qstr_excl+0x131/0x360 fs/namei.c:1805
__start_renaming+0x1db/0x410 fs/namei.c:3862
filename_renameat2+0x38c/0x9c0 fs/namei.c:6119
__do_sys_renameat2 fs/namei.c:6173 [inline]
__se_sys_renameat2+0x5a/0x2c0 fs/namei.c:6168
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88800ba8ed00

which belongs to the cache xfs_inode of size 1784

The buggy address is located 696 bytes inside of

freed 1784-byte region [ffff88800ba8ed00, ffff88800ba8f3f8)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xba8c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8880125ab781
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88803139da00 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000000f5000000 ffff8880125ab781
head: 00fff00000000040 ffff88803139da00 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000000f5000000 ffff8880125ab781
head: 00fff00000000002 ffffea00002ea301 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004

page dumped because: kasan: bad access detected

page_owner tracks the page as allocated

page last allocated via order 2, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5498, tgid 5497 (syz.0.17), ts 109700745240, free_ts 106973924123
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3a0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xd90/0x1790 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
kmem_cache_alloc_lru_noprof+0x3ed/0x6c0 mm/slub.c:5282
xfs_inode_alloc+0x7e/0x710 fs/xfs/xfs_icache.c:97
xfs_iget_cache_miss fs/xfs/xfs_icache.c:635 [inline]
xfs_iget+0xa85/0x2ce0 fs/xfs/xfs_icache.c:799
xfs_icreate+0xbe/0x170 fs/xfs/xfs_inode.c:600
xfs_create+0x648/0xae0 fs/xfs/xfs_inode.c:721
xfs_generic_create+0x410/0xb30 fs/xfs/xfs_iops.c:216
xfs_vn_mkdir+0x37/0x50 fs/xfs/xfs_iops.c:309
vfs_mkdir+0x413/0x630 fs/namei.c:5233
filename_mkdirat+0x285/0x510 fs/namei.c:5266
page last free pid 5456 tgid 5456 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xbf8/0xd70 mm/page_alloc.c:2973
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5956
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x427/0x6f0 mm/slub.c:5315
__alloc_skb+0x1d7/0x390 net/core/skbuff.c:679
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2487
netlink_rcv_skb+0x2b6/0x4b0 net/netlink/af_netlink.c:2556
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x709/0x7a0 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff88800ba8ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800ba8ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800ba8ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800ba8f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800ba8f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup