diff --git a/[refs] b/[refs]
index 3c6d072a2eab..cbefca2d44c1 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 57c2590fb7fd38bd52708ff2716a577d0c2b3c5a
+refs/heads/master: 9156235b3427d6f01c5c95022f72f381f07583f5
diff --git a/trunk/security/keys/keyctl.c b/trunk/security/keys/keyctl.c
index 6261745e4459..639226afd0db 100644
--- a/trunk/security/keys/keyctl.c
+++ b/trunk/security/keys/keyctl.c
@@ -1091,7 +1091,7 @@ long keyctl_set_reqkey_keyring(int reqkey_defl)
 long keyctl_set_timeout(key_serial_t id, unsigned timeout)
 {
 	struct timespec now;
-	struct key *key;
+	struct key *key, *instkey;
 	key_ref_t key_ref;
 	time_t expiry;
 	long ret;
@@ -1099,10 +1099,25 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
 	key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
 				  KEY_SETATTR);
 	if (IS_ERR(key_ref)) {
+		/* setting the timeout on a key under construction is permitted
+		 * if we have the authorisation token handy */
+		if (PTR_ERR(key_ref) == -EACCES) {
+			instkey = key_get_instantiation_authkey(id);
+			if (!IS_ERR(instkey)) {
+				key_put(instkey);
+				key_ref = lookup_user_key(id,
+							  KEY_LOOKUP_PARTIAL,
+							  0);
+				if (!IS_ERR(key_ref))
+					goto okay;
+			}
+		}
+
 		ret = PTR_ERR(key_ref);
 		goto error;
 	}
 
+okay:
 	key = key_ref_to_ptr(key_ref);
 
 	/* make the changes with the locks held to prevent races */