diff --git a/0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch b/0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3bc0abf1175722c80bcd3cc3263128eab238ef68
--- /dev/null
+++ b/0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch
@@ -0,0 +1,228 @@
+From 26e0dea1270556b08c37c20da9db229de664dbd1 Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Fri, 23 Feb 2024 17:30:12 +0800
+Subject: [PATCH] unfreeze freezing container and bugfix for files.limit and
+ syscontainer
+
+1. container in the freezing state must be unfreeze
+https://gitee.com/src-openeuler/lxc/pulls/498
+
+2. bugfix for files.limit invalid
+should return false if failed to write cgroup.procs after max times,
+or will lead to files.limit invalid
+
+3. run oci-prestart hook before switch root
+In: https://gitee.com/src-openeuler/lxc/pulls/513, we move oci-prestart hook
+after sync_cgroup_limits, for sync_cgroup_limits will write a *:* rwm device rule
+which will lead the device rule we write in oci-prestart hook useless.
+However the modification move oci-prestart hook after change root.
+We restore the changes. Since setup_limits_legacy will do the a *:* rwm write,
+we only ensure that setup_limits_legacy executes before oci-prestart.
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ src/lxc/cgroups/cgfsng.c |  2 ++
+ src/lxc/conf.c           |  6 ++++
+ src/lxc/lxccontainer.c   |  7 +++++
+ src/lxc/start.c          | 61 +++++++++++++++++++++++++---------------
+ src/lxc/sync.c           |  6 ++--
+ src/lxc/sync.h           | 10 ++++---
+ 6 files changed, 62 insertions(+), 30 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 471c281..311bdf7 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -1889,6 +1889,8 @@ retry:
+ 				retry_count++;
+ 				goto retry;
+ 			}
++			SYSERROR("Failed to enter cgroup \"%s/cgroup.procs\"", h->path_con);
++			return false;
+ 		}
+ #else
+ 		ret = lxc_writeat(h->dfd_con, "cgroup.procs", pidstr, len);
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 595e605..9e7f6a2 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -4900,6 +4900,12 @@ int lxc_setup(struct lxc_handler *handler)
+ 	if (ret < 0)
+ 		return log_error(-1, "Failed to setup \"/dev\" symlinks");
+ 
++#ifdef HAVE_ISULAD
++	/* Ask parent to run oci prestart hooks and wait for him to finish. */
++	if (!lxc_sync_barrier_parent(handler, START_SYNC_OCI_PRESTART_HOOK)) {
++		return log_error(-1, "Failed to sync parent to start host hook");
++	}
++#endif
+ 	ret = lxc_setup_rootfs_switch_root(&lxc_conf->rootfs);
+ 	if (ret < 0)
+ 		return log_error(-1, "Failed to pivot root into rootfs");
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 5720cf7..318b7f5 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -560,7 +560,14 @@ static bool do_lxcapi_unfreeze(struct lxc_container *c)
+ 		return false;
+ 
+ 	s = lxc_getstate(c->name, c->config_path);
++#ifdef HAVE_ISULAD
++	// Prevent lxc from unexpectedly exiting when executing freeze,
++	// causing the container to be in the FREEZING state,
++	// making normal life cycle management impossible.
++	if (s == FROZEN || s == FREEZING) {
++#else
+ 	if (s == FROZEN) {
++#endif
+ 		ret = cgroup_unfreeze(c->name, c->config_path, -1);
+ 		if (ret == -ENOCGROUP2)
+ 			ret = lxc_unfreeze(c->lxc_conf, c->name, c->config_path);
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 0a5cb26..2fea7b0 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -1643,11 +1643,6 @@ static int do_start(void *data)
+ 	}
+ 
+ #ifdef HAVE_ISULAD
+-	/* Ask father to run oci prestart hooks and wait for him to finish. */
+-	if (!lxc_sync_barrier_parent(handler, START_SYNC_OCI_PRESTART_HOOK)) {
+-		return log_error(-1, "Failed to sync parent to start host hook");
+-	}
+-
+ 	/* close pipes after sync fds */
+ 	/* isulad: dup2 pipe[0][0] to container stdin, pipe[1][1] to container stdout, pipe[2][1] to container stderr */
+ 	if (handler->disable_pty) {
+@@ -2383,7 +2378,9 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ 	}
+ 
+-	if (!lxc_sync_wait_child(handler, START_SYNC_CGROUP_LIMITS))
++#ifdef HAVE_ISULAD
++	// OCI prestart hook should run before lxc_setup_rootfs_switch_root.
++	if (!lxc_sync_wait_child(handler, START_SYNC_OCI_PRESTART_HOOK))
+ 		goto out_delete_net;
+ 
+ 	/*
+@@ -2403,25 +2400,8 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 	}
+ 	TRACE("Set up cgroup2 device controller limits");
+ 
+-	cgroup_ops->finalize(cgroup_ops);
+-	TRACE("Finished setting up cgroups");
+-
+-	/* Run any host-side start hooks */
+-	ret = run_lxc_hooks(name, "start-host", conf, NULL);
+-	if (ret < 0) {
+-		ERROR("Failed to run lxc.hook.start-host");
+-		goto out_delete_net;
+-	}
+-
+-	if (!lxc_sync_wake_child(handler, START_SYNC_FDS))
+-		goto out_delete_net;
+-
+-#ifdef HAVE_ISULAD
+ 	// OCI prestart hook should run after setup_limits_legacy.
+ 	// Otherwise 'syscontainer-hooks' write devices rule will be useless.
+-	if (!lxc_sync_wait_child(handler, START_SYNC_OCI_PRESTART_HOOK))
+-		goto out_delete_net;
+-
+ 	/* isulad: Run oci prestart hook at here */
+ 	ret = run_oci_hooks(name, "oci-prestart", conf, lxcpath);
+ 	if (ret < 0) {
+@@ -2442,6 +2422,41 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ #endif
+ 
++	if (!lxc_sync_wait_child(handler, START_SYNC_CGROUP_LIMITS))
++		goto out_delete_net;
++
++#ifndef HAVE_ISULAD
++	/*
++	 * With isolation the limiting devices cgroup was already setup, so
++	 * only setup devices here if we have no namespace directory.
++	 */
++	if (!handler->conf->cgroup_meta.namespace_dir &&
++	    !cgroup_ops->setup_limits_legacy(cgroup_ops, handler->conf, true)) {
++		ERROR("Failed to setup legacy device cgroup controller limits");
++		goto out_delete_net;
++	}
++	TRACE("Set up legacy device cgroup controller limits");
++
++	if (!cgroup_ops->devices_activate(cgroup_ops, handler)) {
++		ERROR("Failed to setup cgroup2 device controller limits");
++		goto out_delete_net;
++	}
++	TRACE("Set up cgroup2 device controller limits");
++#endif
++
++	cgroup_ops->finalize(cgroup_ops);
++	TRACE("Finished setting up cgroups");
++
++	/* Run any host-side start hooks */
++	ret = run_lxc_hooks(name, "start-host", conf, NULL);
++	if (ret < 0) {
++		ERROR("Failed to run lxc.hook.start-host");
++		goto out_delete_net;
++	}
++
++	if (!lxc_sync_wake_child(handler, START_SYNC_FDS))
++		goto out_delete_net;
++
+ 	if (handler->ns_unshare_flags & CLONE_NEWCGROUP) {
+ 		/* Now we're ready to preserve the cgroup namespace */
+ 		ret = lxc_try_preserve_namespace(handler, LXC_NS_CGROUP, "cgroup");
+diff --git a/src/lxc/sync.c b/src/lxc/sync.c
+index f156809..09d932b 100644
+--- a/src/lxc/sync.c
++++ b/src/lxc/sync.c
+@@ -66,16 +66,16 @@ static inline const char *start_sync_to_string(int state)
+ 		return "configure";
+ 	case START_SYNC_POST_CONFIGURE:
+ 		return "post-configure";
+-	case START_SYNC_CGROUP_LIMITS:
+-		return "cgroup-limits";
+ 	case START_SYNC_IDMAPPED_MOUNTS:
+ 		return "idmapped-mounts";
+-#ifdef HAVE_ISULAd
++#ifdef HAVE_ISULAD
+ 	case START_SYNC_OCI_PRESTART_HOOK:
+ 		return "oci-prestart-hook";
+ 	case START_SYNC_POST_OCI_PRESTART_HOOK:
+ 		return "post-oci-prestart-hook";
+ #endif
++	case START_SYNC_CGROUP_LIMITS:
++		return "cgroup-limits";
+ 	case START_SYNC_FDS:
+ 		return "fds";
+ 	case START_SYNC_READY_START:
+diff --git a/src/lxc/sync.h b/src/lxc/sync.h
+index b6080dd..6802d32 100644
+--- a/src/lxc/sync.h
++++ b/src/lxc/sync.h
+@@ -20,15 +20,17 @@ enum /* start */ {
+ 	START_SYNC_CONFIGURE		=  1,
+ 	START_SYNC_POST_CONFIGURE	=  2,
+ 	START_SYNC_IDMAPPED_MOUNTS	=  3,
+-	START_SYNC_CGROUP_LIMITS	=  4,
+-	START_SYNC_FDS			=  5,
+ #ifdef HAVE_ISULAD
+-	START_SYNC_OCI_PRESTART_HOOK = 6,
+-	START_SYNC_POST_OCI_PRESTART_HOOK = 7,
++	START_SYNC_OCI_PRESTART_HOOK = 4,
++	START_SYNC_POST_OCI_PRESTART_HOOK = 5,
++	START_SYNC_CGROUP_LIMITS	=  6,
++	START_SYNC_FDS			=  7,
+ 	START_SYNC_READY_START		=  8,
+ 	START_SYNC_RESTART		=  9,
+ 	START_SYNC_POST_RESTART		=  10,
+ #else
++	START_SYNC_CGROUP_LIMITS	=  4,
++	START_SYNC_FDS			=  5,
+ 	START_SYNC_READY_START		=  6,
+ 	START_SYNC_RESTART		=  7,
+ 	START_SYNC_POST_RESTART		=  8,
+-- 
+2.33.0
+
diff --git a/lxc.spec b/lxc.spec
index e2c36581f0fd7e0767d086be382d6afdac6e0c50..4de180b83b4adf05de543b4e2cd5dbcd2ddd4cb5 100644
--- a/lxc.spec
+++ b/lxc.spec
@@ -1,4 +1,4 @@
-%global _release 12
+%global _release 13
 %global enable_isulad 1
 
 Name:           lxc
@@ -24,6 +24,7 @@ Patch0012:	0012-fix-dev-mount-failed-and-skip-send-recv-devpts_fd-if.patch
 Patch0013:	0013-ensure-cpuset-cgroup-built-while-writing-cgroup.proc.patch
 Patch0014:	0014-fix-cpuset-cgroup-error.patch
 Patch0015:	0015-append-mntopt-to-mntdata-if-not-found-in-mount_opt.patch
+Patch0016:	0016-unfreeze-freezing-container-and-bugfix-for-files.lim.patch
 
 BuildRequires:  systemd-units git libtool graphviz docbook2X doxygen chrpath
 BuildRequires:  pkgconfig(libseccomp)
@@ -211,6 +212,12 @@ meson test -C build
 %endif
 
 %changelog
+* Mon Feb 26 2024 jikai<jikai11@huawei.com> - 5.0.2-13
+- Type: bugfix
+- ID:NA
+- SUG:NA
+- DESC: unfreeze freezing container and bugfix for files.limit and syscontainer
+
 * Thu Feb 22 2024 jikai<jikai11@huawei.com> - 5.0.2-12
 - Type: bugfix
 - ID:NA