diff --git a/CVE-2020-24372-1.patch b/CVE-2020-24372-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..acfffb459bf4222770fdc6c723b13c20619a7dce
--- /dev/null
+++ b/CVE-2020-24372-1.patch
@@ -0,0 +1,22 @@
+From 12ab596997b9cb27846a5b254d11230c3f9c50c8 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Sun, 9 Aug 2020 18:08:38 +0200
+Subject: [PATCH] Fix handling of errors during snapshot restore.
+
+---
+ src/lj_trace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/lj_trace.c b/src/lj_trace.c
+index 311baa73c..123e6eb83 100644
+--- a/src/lj_trace.c
++++ b/src/lj_trace.c
+@@ -701,6 +701,8 @@ static TValue *trace_exit_cp(lua_State *L, lua_CFunction dummy, void *ud)
+ {
+   ExitDataCP *exd = (ExitDataCP *)ud;
+   cframe_errfunc(L->cframe) = -1;  /* Inherit error function. */
++  /* Always catch error here. */
++  cframe_nres(L->cframe) = -2*LUAI_MAXSTACK*(int)sizeof(TValue);
+   exd->pc = lj_snap_restore(exd->J, exd->exptr);
+   UNUSED(dummy);
+   return NULL;
diff --git a/CVE-2020-24372-2.patch b/CVE-2020-24372-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e0a0524a8319031796357fd877e73da74b8e29a
--- /dev/null
+++ b/CVE-2020-24372-2.patch
@@ -0,0 +1,196 @@
+From e296f56b825c688c3530a981dc6b495d972f3d01 Mon Sep
+From: Mike Pall <mike>
+Date: Sun, 9 Aug 2020 22:50:31 +0200
+Subject: [PATCH] Call error function on rethrow after trace exit.
+
+---
+ src/lj_debug.c     | 1 +
+ src/lj_dispatch.h  | 2 +-
+ src/lj_err.c       | 2 +-
+ src/lj_err.h       | 2 +-
+ src/lj_trace.c     | 4 ++--
+ src/vm_arm.dasc    | 2 +-
+ src/vm_arm64.dasc  | 3 +--
+ src/vm_mips.dasc   | 5 ++---
+ src/vm_mips64.dasc | 5 ++---
+ src/vm_ppc.dasc    | 3 +--
+ src/vm_x64.dasc    | 4 +---
+ src/vm_x86.dasc    | 4 +---
+ 12 files changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 959dc28..e6780dc 100644
+--- a/src/lj_debug.c
++++ b/src/lj_debug.c
+@@ -93,6 +93,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+ 	}
+       }
+       ins = cframe_pc(cf);
++      if (!ins) return NO_BCPOS;
+     }
+   }
+   pt = funcproto(fn);
+diff --git a/src/lj_dispatch.h b/src/lj_dispatch.h
+index 5bda51a..addf557 100644
+--- a/src/lj_dispatch.h
++++ b/src/lj_dispatch.h
+@@ -46,7 +46,7 @@ extern double __divdf3(double a, double b);
+   _(asin) _(acos) _(atan) _(sinh) _(cosh) _(tanh) _(frexp) _(modf) _(atan2) \
+   _(pow) _(fmod) _(ldexp) _(lj_vm_modi) \
+   _(lj_dispatch_call) _(lj_dispatch_ins) _(lj_dispatch_stitch) \
+-  _(lj_dispatch_profile) _(lj_err_throw) \
++  _(lj_dispatch_profile) _(lj_err_throw) _(lj_err_run) \
+   _(lj_ffh_coroutine_wrap_err) _(lj_func_closeuv) _(lj_func_newL_gc) \
+   _(lj_gc_barrieruv) _(lj_gc_step) _(lj_gc_step_fixtop) _(lj_meta_arith) \
+   _(lj_meta_call) _(lj_meta_cat) _(lj_meta_comp) _(lj_meta_equal) \
+diff --git a/src/lj_err.c b/src/lj_err.c
+index b520b3d..c310daf 100644
+--- a/src/lj_err.c
++++ b/src/lj_err.c
+@@ -602,7 +602,7 @@ static ptrdiff_t finderrfunc(lua_State *L)
+ }
+ 
+ /* Runtime error. */
+-LJ_NOINLINE void lj_err_run(lua_State *L)
++LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ {
+   ptrdiff_t ef = finderrfunc(L);
+   if (ef) {
+diff --git a/src/lj_err.h b/src/lj_err.h
+index cba5fb7..aa4b7e0 100644
+--- a/src/lj_err.h
++++ b/src/lj_err.h
+@@ -23,7 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
+ LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
+ LJ_FUNC_NORET void lj_err_mem(lua_State *L);
+-LJ_FUNC_NORET void lj_err_run(lua_State *L);
++LJ_FUNCA_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
+ LJ_FUNC_NORET void lj_err_msg(lua_State *L, ErrMsg em);
+ LJ_FUNC_NORET void lj_err_lex(lua_State *L, GCstr *src, const char *tok,
+ 			      BCLine line, ErrMsg em, va_list argp);
+diff --git a/src/lj_trace.c b/src/lj_trace.c
+index 797f010..07a6d6d 100644
+--- a/src/lj_trace.c
++++ b/src/lj_trace.c
+@@ -782,8 +782,8 @@ typedef struct ExitDataCP {
+ static TValue *trace_exit_cp(lua_State *L, lua_CFunction dummy, void *ud)
+ {
+   ExitDataCP *exd = (ExitDataCP *)ud;
+-  cframe_errfunc(L->cframe) = -1;  /* Inherit error function. */
+-  /* Always catch error here. */
++  /* Always catch error here and don't call error function. */
++  cframe_errfunc(L->cframe) = 0;
+   cframe_nres(L->cframe) = -2*LUAI_MAXSTACK*(int)sizeof(TValue);
+   exd->pc = lj_snap_restore(exd->J, exd->exptr);
+   UNUSED(dummy);
+diff --git a/src/vm_arm.dasc b/src/vm_arm.dasc
+index 780cc16..5d686c5 100644
+--- a/src/vm_arm.dasc
++++ b/src/vm_arm.dasc
+@@ -2246,7 +2246,7 @@ static void build_subroutines(BuildCtx *ctx)
+   |9:  // Rethrow error from the right C frame.
+   |  rsb CARG2, CARG1, #0
+   |  mov CARG1, L
+-  |  bl extern lj_err_throw		// (lua_State *L, int errcode)
++  |  bl extern lj_err_run		// (lua_State *L)
+   |.endif
+   |
+   |//-----------------------------------------------------------------------
+diff --git a/src/vm_arm64.dasc b/src/vm_arm64.dasc
+index 3eaf376..927f27d 100644
+--- a/src/vm_arm64.dasc
++++ b/src/vm_arm64.dasc
+@@ -2033,9 +2033,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |  b <2
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  neg CARG2, CARG1
+   |  mov CARG1, L
+-  |  bl extern lj_err_throw		// (lua_State *L, int errcode)
++  |  bl extern lj_err_run		// (lua_State *L)
+   |.endif
+   |
+   |//-----------------------------------------------------------------------
+diff --git a/src/vm_mips.dasc b/src/vm_mips.dasc
+index 1afd611..b405ef4 100644
+--- a/src/vm_mips.dasc
++++ b/src/vm_mips.dasc
+@@ -2512,9 +2512,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |.  addu RA, RA, BASE
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  load_got lj_err_throw
+-  |  negu CARG2, CRET1
+-  |  call_intern lj_err_throw		// (lua_State *L, int errcode)
++  |  load_got lj_err_run
++  |  call_intern lj_err_run            // (lua_State *L)
+   |.  move CARG1, L
+   |.endif
+   |
+diff --git a/src/vm_mips64.dasc b/src/vm_mips64.dasc
+index c06270a..59acc74 100644
+--- a/src/vm_mips64.dasc
++++ b/src/vm_mips64.dasc
+@@ -2470,9 +2470,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |.  daddu RA, RA, BASE
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  load_got lj_err_throw
+-  |  negu CARG2, CRET1
+-  |  call_intern lj_err_throw		// (lua_State *L, int errcode)
++  |  load_got lj_err_run
++  |  call_intern lj_err_run            // (lua_State *L)
+   |.  move CARG1, L
+   |.endif
+   |
+diff --git a/src/vm_ppc.dasc b/src/vm_ppc.dasc
+index b4260eb..f8d3633 100644
+--- a/src/vm_ppc.dasc
++++ b/src/vm_ppc.dasc
+@@ -2706,9 +2706,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |  bctr
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  neg CARG2, CARG1
+   |  mr CARG1, L
+-  |  bl extern lj_err_throw		// (lua_State *L, int errcode)
++  |  bl extern lj_err_run              // (lua_State *L)
+   |.endif
+   |
+   |//-----------------------------------------------------------------------
+diff --git a/src/vm_x64.dasc b/src/vm_x64.dasc
+index a003fb4..379af6d 100644
+--- a/src/vm_x64.dasc
++++ b/src/vm_x64.dasc
+@@ -2509,10 +2509,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |  jmp <2
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  neg RD
+   |  mov CARG1, L:RB
+-  |  mov CARG2, RD
+-  |  call extern lj_err_throw		// (lua_State *L, int errcode)
++  |  call extern lj_err_run          // (lua_State *L)
+   |.endif
+   |
+   |//-----------------------------------------------------------------------
+diff --git a/src/vm_x86.dasc b/src/vm_x86.dasc
+index 211ae7b..5ecb277 100644
+--- a/src/vm_x86.dasc
++++ b/src/vm_x86.dasc
+@@ -2960,10 +2960,8 @@ static void build_subroutines(BuildCtx *ctx)
+   |  jmp <2
+   |
+   |9:  // Rethrow error from the right C frame.
+-  |  neg RD
+   |  mov FCARG1, L:RB
+-  |  mov FCARG2, RD
+-  |  call extern lj_err_throw@8		// (lua_State *L, int errcode)
++  |  call extern lj_err_run@4          // (lua_State *L)
+   |.endif
+   |
+   |//-----------------------------------------------------------------------
+-- 
+2.23.0
+
diff --git a/luajit.spec b/luajit.spec
index f46a3b3a2ea3e108cba5d132357fca6c1cd9efbf..91c6adeab04b0d53572c17bbac0a4aced653e826 100644
--- a/luajit.spec
+++ b/luajit.spec
@@ -2,12 +2,14 @@
 
 Name:           luajit
 Version:        2.1.0
-Release:        1
+Release:        2
 Summary:        Just-In-Time Compiler for Lua
 License:        MIT
 URL:            http://luajit.org/
 Source0:        http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz
 Patch0:         CVE-2020-15890.patch
+Patch1:         CVE-2020-24372-1.patch
+Patch2:         CVE-2020-24372-2.patch
 
 ExclusiveArch:  %{arm} %{ix86} x86_64 %{mips} aarch64
 
@@ -72,6 +74,9 @@ ln -s luajit-2.1.0-beta3 %{buildroot}%{_bindir}/luajit
 %{_mandir}/man1/%{name}.1*
 
 %changelog
+* Mon Feb 8 2021 zhanghua <zhanghua40@huawei.com> - 2.1.0-2
+- fix CVE-2020-24372
+
 * Mon Jan 11 2021 zhangatao <zhangtao221@huawei.com> - 2.1.0-1
 - fix CVE-2020-15890