From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F5AEC3DA45 for ; Wed, 10 Jul 2024 10:20:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E18AC6B008C; Wed, 10 Jul 2024 06:20:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D9FA56B0095; Wed, 10 Jul 2024 06:20:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C19BF6B0096; Wed, 10 Jul 2024 06:20:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id A05F96B008C for ; Wed, 10 Jul 2024 06:20:32 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 4377EC1C5E for ; Wed, 10 Jul 2024 10:20:32 +0000 (UTC) X-FDA: 82323448704.07.EEF78BB Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf26.hostedemail.com (Postfix) with ESMTP id B266B14000A for ; Wed, 10 Jul 2024 10:20:28 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=mSAsZvmo; spf=none (imf26.hostedemail.com: domain of BATV+179270d1b3693ee586b2+7626+infradead.org+dwmw2@casper.srs.infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=BATV+179270d1b3693ee586b2+7626+infradead.org+dwmw2@casper.srs.infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720606813; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HVEeB1pn9MApGc5grau6BibNUrckd8qyNkAqV2snhFU=; b=ngxnoGrKTSlnWJvCtOQ/4i6mzqSbJu5TrQkDPc6oFJS2Qtrmx4lIruRj44L/i5bWuY4US6 /uzEbkUzcVyvHCUQoh4ikK9R1Uu9270RnA/rsJs+ttlDu/siZtMfUCCScviZrZAaROviAG CBx2do4ka8Y3ot0sdWU0zuhn6T+TPw0= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=mSAsZvmo; spf=none (imf26.hostedemail.com: domain of BATV+179270d1b3693ee586b2+7626+infradead.org+dwmw2@casper.srs.infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=BATV+179270d1b3693ee586b2+7626+infradead.org+dwmw2@casper.srs.infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720606813; a=rsa-sha256; cv=none; b=ujeAzMnYG8xhepX+3kXDo4vOdtLL0s4P5B9RZaAEGKYLUfpdRieWKoZ2e6feFTdwXpPGm0 gL44K4+Y1H3nIJ/SYyVh8CNuAlHBWuW/xnTDCP+wzQrEFM+M2x8L8hhaEWy5Glw4WbcHI9 ifs/sxt2CXJlVKWjk1JbBRQyq8InvJo= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=HVEeB1pn9MApGc5grau6BibNUrckd8qyNkAqV2snhFU=; b=mSAsZvmoyk5FJEkyWmJV9q2iqp wPi39IRqFoUdsPF1960MpEPAPtumIr7N43Roo14VmmPyOlRLsAGTFv0OBGdCqCSKbwU1aNNjBBS/C 7xVgE1CGd0BayhhUCMJt/3LPlMjQSgZf+liQp5lrZnUCHLInCiCAkIOZv8Bu4yoUTSEU0riW95Kre tCCz/hdHmd4JHmo6NC04RfQ6fWZuGBb3U2BzSh6W0plhqwEgHw/xHSEpAydX8FMVxEbNtJ6+dVbVv WF9di5PojlEo53ovytlP3CWEWhIxQo5spelIJVB0Hckj4Q9IrvNjDG6nG5KiTCAn1Y3wvYSPE8b0Z 7BDAi7Tg==; Received: from [2001:8b0:10b:5:daed:e261:1c9e:7a77] (helo=u3832b3a9db3152.ant.amazon.com) by casper.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux)) id 1sRUQo-000000096Dm-1dp9; Wed, 10 Jul 2024 10:20:14 +0000 Message-ID: <9a0e63b7d45beca7b7a30debd3831f433626e5f6.camel@infradead.org> Subject: Re: [RFC PATCH 3/8] kvm: pfncache: enlighten about gmem From: David Woodhouse To: Patrick Roy , seanjc@google.com, pbonzini@redhat.com, akpm@linux-foundation.org, rppt@kernel.org, david@redhat.com Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, willy@infradead.org, graf@amazon.com, derekmn@amazon.com, kalyazin@amazon.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, dmatlack@google.com, tabba@google.com, chao.p.peng@linux.intel.com, xmarcalx@amazon.co.uk, James Gowans Date: Wed, 10 Jul 2024 11:20:13 +0100 In-Reply-To: References: <20240709132041.3625501-1-roypat@amazon.co.uk> <20240709132041.3625501-4-roypat@amazon.co.uk> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-hSekdqyhU16h+v9CUH6a" User-Agent: Evolution 3.44.4-0ubuntu2 MIME-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: B266B14000A X-Stat-Signature: j77b9e11u81mo9zkzc5nhbqnb3pqssom X-Rspam-User: X-HE-Tag: 1720606828-536483 X-HE-Meta: U2FsdGVkX19EtgBYmlIBQ/i3Opalf3ZHEZeH2dchSLnnLMsSP2szLPa5U/Yp8gVbGGxNILwH8nV3vCw07X3qXV2BTAMb1z/lrg3aMow4glRkIfRQhCU8dbuoQ6fNob4UeEZIHNtwxIhWNJtUDS441180Z2tCx9A7wJDVYOB9xz3vwCreGx+Crf1Xp9QmsmnzyIIyVz5Fe3Pqo0Uo4IrlH2tf5YFpclerJfbOnhjfLoK+RZUx1J/4kKwI+T7vxKwPhBREoYO8+WcXVADu8U7Lf3z1PwvNMjjtE5kg04SZ5GXgAYMaRvW58lPmmKxvFTzm/PTZSCgkBrIX63Bel9qrl2JMcTHIKwDPob/PKRJ2qFLMrTfT+9Nu5HjnkK3YsTA3WCI/EnXSgHsXkg364LWBEyphFQFZY7RSiq2DUe9hokTeYDPqjGHCcWeUgQyr/kWaASWQRZ3UvsWwO1RCD9gFgr4JiGoauhzVb08UOhJIW99pfL2SaeG/neNEW34jDKEVFxPbxyugRf1SMiaLxwyJMjYE9oGAfmfu/fYLyrQzhuEvleXYDrrOUTOzS5Xku6EvURjPO75+xFqzsQSsjDDG58XRu4qZRqA0NNsRxPiD0C23Z29nyySZYbBtIZ08mDrqLQgLOc/Y3oHb7WWKdstEDZfDdpYL8jkCyzmRsDr/wbm0023rG/0sclhXmc6IoYtkIEGfmNIgI7mcJWSREX7OJI9ms3wwRhcVdaiAff+mlx3rn0VkNGf/Zm5wDuSI41Lmn4f2B10w7eyNpyTPXB/g1Uc/r5kXcD3sFH/J150hyB3Q4bNVrLLiJaitx6Gmn00/WYOSfOkT3tD0nsoQrOyhzcI5oMg7NMldQ0q7Gz25wPqblvCrt11WzwzO8gdxubvTIK9HaUMxJiETnX2muC6DpVMRmYzZiPiIk3Snc8E+p9i49LnCJcdhS3wy19qzEi2yUWw3ioSWyW8t4cx5iqx Bgmjyvxl RvEu1gWnp+Q+eiqMD21IfXSYlzcaPou1cYgzLJ4+tNpyhbBjK7XFpFytmo3VusdGhElDIvpUI/G34GN2V/6Jm0yiYk3E6b08nItTZdDWlS0T+tQ4EqBInWEs//wHa2FKMxlUx38S3gvLU4Stjrmf1D03516yRu9ngri9bSpe9/mf+7eVACRHJry0M/fzuukQeUgx50U+sDDOD8ckwDLeJdQY1vwLl0SHM5zpCSZHewBNUY7qI9ZyMib5K4+slHzakw8MzkLIDU8UvbySh8YWxDnqGtUnFLZoHw58b0uXZl0Iv1lJ/584Qc+fTqHmiTaGKOO8h2PIDFQObvoBe4YaDyLPqf41Dpfgx75zJyv1F9jNHTspBVMiA0i7VcOv8bGA6CZcOqhTwUBcAq+ojCR/LKK75hguPcmL8N0nt7N6929y+93doRo56NDtX1s0X9XT5h1fDYu1sroE6r8bA3QV0kWxkfurdu6W5hrLvH0YdFze4f0sSAZnuGPymEzB9RywcMa5UtYW23UbhrXv1nJ3mC0vv2zAiz1ATXA+HTlzJ8XhCEAHkMraQEggvxK27dax5iMpb4SSXJSnD67nUlC2FWlE4dU+iY2DlSJX0Nci8MYdqMGecrcRe+dPCkCZMhXGNZ+Wr76zVHGPJBlQzzEaf4zxcu96S6gMaNGpj0eMII2uaq9o= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --=-hSekdqyhU16h+v9CUH6a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2024-07-10 at 10:49 +0100, Patrick Roy wrote: > On 7/9/24 15:36, David Woodhouse wrote: I did? It isn't September yet, surely? > > On Tue, 2024-07-09 at 14:20 +0100, Patrick Roy wrote: > > > KVM uses gfn_to_pfn_caches to cache translations from gfn all the way= to > > > the pfn (for example, kvm-clock caches the page storing the page used > > > for guest/host communication this way). Unlike the gfn_to_hva_cache, > > > where no equivalent caching semantics were possible to gmem-backed gf= ns > > > (see also 858e8068a750 ("kvm: pfncache: enlighten about gmem")), here= it > > > is possible to simply cache the pfn returned by `kvm_gmem_get_pfn`. > > >=20 > > > Additionally, gfn_to_pfn_caches now invalidate whenever a cached gfn'= s > > > attributes are flipped from shared to private (or vice-versa). > > >=20 > > > Signed-off-by: Patrick Roy > >=20 > > I can't see how this is safe from race conditions. > >=20 > > When the GPC is invalidated from gfn_to_pfn_cache_invalidate_start() > > its *write* lock is taken and gpc->valid is set to false. > >=20 > > In parallel, any code using the GPC to access guest memory will take > > the *read* lock, call kvm_gpc_check(), and then go ahead and use the > > pointer to its heart's content until eventually dropping the read lock. > >=20 > > Since invalidation takes the write lock, it has to wait until the GPC > > is no longer in active use, and the pointer cannot be being > > dereferenced. > >=20 > > How does this work for the kvm_mem_is_private() check. You've added a > > check in kvm_gpc_check(), but what if the pfn is made private > > immediately *after* that check? Unless the code path which makes the > > pfn private also takes the write lock, how is it safe? >=20 > Ah, you're right - I did in fact overlook this. I do think that it works > out though: kvm_vm_set_mem_attributes, which is used for flipping > between shared/private, registers the range which had its attributes > changed for invalidation, and thus gfn_to_pfn_cache_invalidate_start > should get called for it (although I have to admit I do not immediately > see what the exact callstack for this looks like, so maybe I am > misunderstanding something about invalidation here?). In that case, wouldn't that mean the explicit checks on gpc->is_private matching kvm_mem_is_private() would be redundant and you can remove them because you can trust that gpc->valid would be cleared? --=-hSekdqyhU16h+v9CUH6a Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEkQw ggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQG EwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoT FVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAyjztlApB/975Rrno1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUf ItMltrMaXqcESJuK8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeW QcpGEGFUUd0kN+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YB rf24k5Ee1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewD ch/8kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4GA1Ud DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF BQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2Vy dHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUF BwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJT QUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0G CSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADdF9d6HBA4kMjjsb0XMZHztuOCtKF+ xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou74TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9 IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7 kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJJIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1 eoYV7lNwNBKpeHdNuO6Aacb533JlfeUHxvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4 KxaYIhvqPqUMWqRdWyn7crItNkZeroXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL 1Ygz3SBsyECa0waq4hOf/Z85F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQ OZ1YL5ezMTX0ZSLwrymUE0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qod x/PL+5jR87myx5uYdBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i 5ZgtwCLXgAIe5W8mybM2JzCCBhQwggT8oAMCAQICEQDGvhmWZ0DEAx0oURL6O6l+MA0GCSqGSIb3 DQEBCwUAMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28g UlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIyMDEwNzAw MDAwMFoXDTI1MDEwNjIzNTk1OVowJDEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9y ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQ3GpC2bomUqk+91wLYBzDMcCj5C9m6 oZaHwvmIdXftOgTbCJXADo6G9T7BBAebw2JV38EINgKpy/ZHh7htyAkWYVoFsFPrwHounto8xTsy SSePMiPlmIdQ10BcVSXMUJ3Juu16GlWOnAMJY2oYfEzmE7uT9YgcBqKCo65pTFmOnR/VVbjJk4K2 xE34GC2nAdUQkPFuyaFisicc6HRMOYXPuF0DuwITEKnjxgNjP+qDrh0db7PAjO1D4d5ftfrsf+kd RR4gKVGSk8Tz2WwvtLAroJM4nXjNPIBJNT4w/FWWc/5qPHJy2U+eITZ5LLE5s45mX2oPFknWqxBo bQZ8a9dsZ3dSPZBvE9ZrmtFLrVrN4eo1jsXgAp1+p7bkfqd3BgBEmfsYWlBXO8rVXfvPgLs32VdV NZxb/CDWPqBsiYv0Hv3HPsz07j5b+/cVoWqyHDKzkaVbxfq/7auNVRmPB3v5SWEsH8xi4Bez2V9U KxfYCnqsjp8RaC2/khxKt0A552Eaxnz/4ly/2C7wkwTQnBmdlFYhAflWKQ03Ufiu8t3iBE3VJbc2 5oMrglj7TRZrmKq3CkbFnX0fyulB+kHimrt6PIWn7kgyl9aelIl6vtbhMA+l0nfrsORMa4kobqQ5 C5rveVgmcIad67EDa+UqEKy/GltUwlSh6xy+TrK1tzDvAgMBAAGjggHMMIIByDAfBgNVHSMEGDAW gBQJwPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUzMeDMcimo0oz8o1R1Nver3ZVpSkwDgYD VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGln by5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGln b1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoGCCsGAQUFBwEB BH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50 QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29j c3Auc2VjdGlnby5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0B AQsFAAOCAQEAyW6MUir5dm495teKqAQjDJwuFCi35h4xgnQvQ/fzPXmtR9t54rpmI2TfyvcKgOXp qa7BGXNFfh1JsqexVkIqZP9uWB2J+uVMD+XZEs/KYNNX2PvIlSPrzIB4Z2wyIGQpaPLlYflrrVFK v9CjT2zdqvy2maK7HKOQRt3BiJbVG5lRiwbbygldcALEV9ChWFfgSXvrWDZspnU3Gjw/rMHrGnql Htlyebp3pf3fSS9kzQ1FVtVIDrL6eqhTwJxe+pXSMMqFiN0whpBtXdyDjzBtQTaZJ7zTT/vlehc/ tDuqZwGHm/YJy883Ll+GP3NvOkgaRGWEuYWJJ6hFCkXYjyR9IzCCBhQwggT8oAMCAQICEQDGvhmW Z0DEAx0oURL6O6l+MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMB4XDTIyMDEwNzAwMDAwMFoXDTI1MDEwNjIzNTk1OVowJDEiMCAGCSqGSIb3DQEJ ARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQ3 GpC2bomUqk+91wLYBzDMcCj5C9m6oZaHwvmIdXftOgTbCJXADo6G9T7BBAebw2JV38EINgKpy/ZH h7htyAkWYVoFsFPrwHounto8xTsySSePMiPlmIdQ10BcVSXMUJ3Juu16GlWOnAMJY2oYfEzmE7uT 9YgcBqKCo65pTFmOnR/VVbjJk4K2xE34GC2nAdUQkPFuyaFisicc6HRMOYXPuF0DuwITEKnjxgNj P+qDrh0db7PAjO1D4d5ftfrsf+kdRR4gKVGSk8Tz2WwvtLAroJM4nXjNPIBJNT4w/FWWc/5qPHJy 2U+eITZ5LLE5s45mX2oPFknWqxBobQZ8a9dsZ3dSPZBvE9ZrmtFLrVrN4eo1jsXgAp1+p7bkfqd3 BgBEmfsYWlBXO8rVXfvPgLs32VdVNZxb/CDWPqBsiYv0Hv3HPsz07j5b+/cVoWqyHDKzkaVbxfq/ 7auNVRmPB3v5SWEsH8xi4Bez2V9UKxfYCnqsjp8RaC2/khxKt0A552Eaxnz/4ly/2C7wkwTQnBmd lFYhAflWKQ03Ufiu8t3iBE3VJbc25oMrglj7TRZrmKq3CkbFnX0fyulB+kHimrt6PIWn7kgyl9ae lIl6vtbhMA+l0nfrsORMa4kobqQ5C5rveVgmcIad67EDa+UqEKy/GltUwlSh6xy+TrK1tzDvAgMB AAGjggHMMIIByDAfBgNVHSMEGDAWgBQJwPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUzMeD Mcimo0oz8o1R1Nver3ZVpSkwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwQGCCsGAQUFBwMCMEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYB BQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9j cmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1h aWxDQS5jcmwwgYoGCCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdv LmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAj BggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5m cmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAyW6MUir5dm495teKqAQjDJwuFCi35h4xgnQv Q/fzPXmtR9t54rpmI2TfyvcKgOXpqa7BGXNFfh1JsqexVkIqZP9uWB2J+uVMD+XZEs/KYNNX2PvI lSPrzIB4Z2wyIGQpaPLlYflrrVFKv9CjT2zdqvy2maK7HKOQRt3BiJbVG5lRiwbbygldcALEV9Ch WFfgSXvrWDZspnU3Gjw/rMHrGnqlHtlyebp3pf3fSS9kzQ1FVtVIDrL6eqhTwJxe+pXSMMqFiN0w hpBtXdyDjzBtQTaZJ7zTT/vlehc/tDuqZwGHm/YJy883Ll+GP3NvOkgaRGWEuYWJJ6hFCkXYjyR9 IzGCBMcwggTDAgEBMIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVz dGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMT NVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA xr4ZlmdAxAMdKFES+jupfjANBglghkgBZQMEAgEFAKCCAeswGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMjQwNzEwMTAyMDEzWjAvBgkqhkiG9w0BCQQxIgQgmlb8s1ES 4nGb0blhRUa0XQfd2Z+y/yOlrHcTzrwjPHcwgb0GCSsGAQQBgjcQBDGBrzCBrDCBljELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYG A1UEChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAMa+GZZnQMQDHShREvo7qX4wgb8GCyqGSIb3 DQEJEAILMYGvoIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNl Y3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAxr4Z lmdAxAMdKFES+jupfjANBgkqhkiG9w0BAQEFAASCAgAhcx7mALCCJrPa0otbDxA36ixW1QoQ7Q4T kXHyVqJfWCImUDuFOO/5IcfOWokjr6V4b7xU+dQ8kUr2gAjyupXHJo59LQ7Ulfbsod27Kpom5qeh fizfyX1WlNVKHzceg+NljxgxDYfUTu7qiS2qN+H+08ioh0B3dq33nBidqPRZu/ORxvyqDvbU+Nuh qtHD+HG5dwNfq3YE3PNYC/Tmv+LNPgTAWTZV7n1aiRErBDKgCsEB/CH2o2xVRDvFxZGWg541ScBT 7/mZCDzbk0rJXhd469rd8hHt9Dt/FGL7Th/rXNzB7ENdvaJZ4suvgXTSzhaDTPmRQ+R8VKjClMoi gNudqup5rMHJNh5KL7q+uaxl3hC51teszKRgCjHbXVJJwP65kWc8wHoX7vi3lkChaPvEMMYF7uq1 HlWtdDpPkgh+7JxcI9x6m5vxMzajw0nFkjDWuV15PqjZGZVsViBAtt6Mc/Rn4xJnPz6yWP5k7qft AqoYm/kvBMoE8KRGtiVi/JfknIpzywETTkAD95Q8LdORoqdZVY1dzdHToRiwMD3HLh5WqiEH4dQq 3FVFIcKOLYe5myhUuyy1QZE5BAPblG6yL7ohaYI3uucR5gCB7AUDu1HlP1TxYLla9tctPLpLOvpi 6UCTM6QuCOXHDpeeyROYkJFVXwFhrScIX7sIkrt4fgAAAAAAAA== --=-hSekdqyhU16h+v9CUH6a--