diff --git a/pstream-Fix-use-after-free-in-srb_callback.patch b/pstream-Fix-use-after-free-in-srb_callback.patch
new file mode 100644
index 0000000..6f29671
--- /dev/null
+++ b/pstream-Fix-use-after-free-in-srb_callback.patch
@@ -0,0 +1,43 @@
+>From 9d370181ec4bc1e252b54dd0e7bb52016f01b238 Mon Sep 17 00:00:00 2001
+From: David Henningsson <david.henningsson@canonical.com>
+Date: Fri, 16 Oct 2015 22:12:32 +0200
+Subject: [PATCH] pstream: Fix use-after-free in srb_callback
+
+We need to guard the pstream with an extra ref to ensure
+it is not destroyed at the time we check whether or not the
+srbchannel is destroyed.
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487
+Signed-off-by: David Henningsson <david.henningsson@canonical.com>
+---
+ src/pulsecore/pstream.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/src/pulsecore/pstream.c
++++ b/src/pulsecore/pstream.c
+@@ -216,14 +216,23 @@ fail:
+ }
+ 
+ static bool srb_callback(pa_srbchannel *srb, void *userdata) {
++    bool b;
+     pa_pstream *p = userdata;
+ 
+     pa_assert(p);
+     pa_assert(PA_REFCNT_VALUE(p) > 0);
+     pa_assert(p->srb == srb);
+ 
++    pa_pstream_ref(p);
++
+     do_pstream_read_write(p);
+-    return p->srb != NULL;
++
++    /* If either pstream or the srb is going away, return false.
++       We need to check this before p is destroyed. */
++    b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
++    pa_pstream_unref(p);
++
++    return b;
+ }
+ 
+ static void io_callback(pa_iochannel*io, void *userdata) {
diff --git a/pulseaudio.changes b/pulseaudio.changes
index 26f35fa..700bcc5 100644
--- a/pulseaudio.changes
+++ b/pulseaudio.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Oct 17 09:21:39 CEST 2015 - tiwai@suse.de
+
+- Upstream fix patch for srb channel corruption (boo#950487):
+  pstream-Fix-use-after-free-in-srb_callback.patch
+- Re-enable srbchannel again
+
 -------------------------------------------------------------------
 Thu Oct 15 16:32:02 CEST 2015 - tiwai@suse.de
 
diff --git a/pulseaudio.spec b/pulseaudio.spec
index 78bf53a..8be41fa 100644
--- a/pulseaudio.spec
+++ b/pulseaudio.spec
@@ -44,7 +44,10 @@ Patch0:         disabled-start.diff
 Patch1:         suppress-socket-error-msg.diff
 Patch2:         pulseaudio-wrong-memset.patch
 # PATCH-FIX-SUSE disable-srbchannel.patch boo#950487 Disable srbchannel as a workaround for crashes on KDE
+# XXX note this patch isn't used for now, kept just for workaround in future
 Patch3:         disable-srbchannel.patch
+# PATCH-FIX-UPSTREAM pstream-Fix-use-after-free-in-srb_callback.patch boo#950487
+Patch4:         pstream-Fix-use-after-free-in-srb_callback.patch
 # PATCH-FIX-UPSTREAM 0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch boo#934850
 Patch102:       0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch
 BuildRequires:  alsa-devel >= 1.0.19
@@ -326,7 +329,10 @@ Optional dependency offering zsh completion for various PulseAudio utilities
 %patch0
 %patch1 -p1
 %patch2
+%if 0
 %patch3 -p1
+%endif
+%patch4 -p1
 %patch102 -p1
 
 %build