How to find the specific cause of a tainted kernel
How to find the cause of a tainted Linux kernel?
Run the dmesg or journalctl command and search for 'tainted'.
dmesg | grep -i taintedDon’t know what a tainted kernel is? Have a look at the article explaining what a tainted kernel is first.
What is causing the tainted kernel?
If you have a tainted kernel, it will typically show up in the output of dmesg
and starts with ‘Tainted:’ followed by some letter(s). Use the lookup table below to find the related cause.
Bit | Letter | Number value | Reason |
---|---|---|---|
0 | G/P | 1 | Proprietary kernel module loaded |
1 | F | 2 | Kernel module was force loaded |
2 | S | 4 | SMP kernel oops on officially SMP incapable processor |
3 | R | 8 | Kernel module force unloaded |
4 | M | 16 | Processor reported a Machine Check Exception |
5 | B | 32 | Bad page referenced or some unexpected page flags |
6 | U | 64 | Taint requested by user space application |
7 | D | 128 | Kernel died recently (OOPS, bug) |
8 | A | 256 | ACPI table overridden by user |
9 | W | 512 | Kernel issued warning |
10 | C | 1024 | Staging driver loaded |
11 | I | 2048 | Workaround for bug in platform firmware applied |
12 | O | 4096 | Externally-built kernel module loaded |
13 | E | 8192 | Unsigned module loaded |
14 | L | 16384 | Soft lockup occurred |
15 | K | 32768 | Kernel live patched |
16 | X | 65536 | Auxiliary taint, defined for and used by Linux distributions |
17 | T | 131072 | Kernel was built with the struct randomization plugin |
Source: kernel.org
Another option is to check the value of /proc/sys/kernel/tainted. This numeric value is easy to lookup in the table if there is just a single cause. When there are multiple causes, like a live patched kernel already experienced a serious issue, then it may be harder to find. In that case, run the following script.
for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
This for-loop will show each bit. The bits with the value of ‘1’ then can be looked up. If bit 1 and 15 show up, it was a live patch (15) and also kernel module that was loaded (forced).