How to find the specific cause of a tainted kernel
This article has last been updated at .
How to find the cause of a tainted Linux kernel?
Run the dmesg or journalctl command and search for 'tainted'.
dmesg | grep -i taintedDon’t know what a tainted kernel is? Have a look at the article explaining what a tainted kernel is first.
What is causing the tainted kernel?
If you have a tainted kernel, it will typically show up in the output of dmesg and starts with ‘Tainted:’ followed by some letter(s). Use the lookup table below to find the related cause.
| Bit | Letter | Number value | Reason |
|---|---|---|---|
| 0 | G/P | 1 | Proprietary kernel module loaded |
| 1 | F | 2 | Kernel module was force loaded |
| 2 | S | 4 | SMP kernel oops on officially SMP incapable processor |
| 3 | R | 8 | Kernel module force unloaded |
| 4 | M | 16 | Processor reported a Machine Check Exception |
| 5 | B | 32 | Bad page referenced or some unexpected page flags |
| 6 | U | 64 | Taint requested by user space application |
| 7 | D | 128 | Kernel died recently (OOPS, bug) |
| 8 | A | 256 | ACPI table overridden by user |
| 9 | W | 512 | Kernel issued warning |
| 10 | C | 1024 | Staging driver loaded |
| 11 | I | 2048 | Workaround for bug in platform firmware applied |
| 12 | O | 4096 | Externally-built kernel module loaded |
| 13 | E | 8192 | Unsigned module loaded |
| 14 | L | 16384 | Soft lockup occurred |
| 15 | K | 32768 | Kernel live patched |
| 16 | X | 65536 | Auxiliary taint, defined for and used by Linux distributions |
| 17 | T | 131072 | Kernel was built with the struct randomization plugin |
Source: kernel.org
Another option is to check the value of /proc/sys/kernel/tainted. This numeric value is easy to lookup in the table if there is just a single cause. When there are multiple causes, like a live patched kernel already experienced a serious issue, then it may be harder to find. In that case, run the following script.
for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
This for-loop will show each bit. The bits with the value of ‘1’ then can be looked up. If bit 1 and 15 show up, it was a live patch (15) and also kernel module that was loaded (forced).
