diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 68e6f245581c28867d80b5ad90f4399a8ce4dd0d..55c41de2f5a03c1a1f6de41ca722c7568d511b3d 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -868,6 +868,14 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
 	if (sec_level == BT_SECURITY_LOW)
 		return true;
 
+	/* If we're encrypted with an STK always claim insufficient
+	 * security. This way we allow the connection to be re-encrypted
+	 * with an LTK, even if the LTK provides the same level of
+	 * security.
+	 */
+	if (test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags))
+		return false;
+
 	if (hcon->sec_level >= sec_level)
 		return true;