« Back to Frequently Asked Questions

How to find the specific cause of a tainted kernel

Don’t know what a tainted kernel is? Have a look at the article explaining what a tainted kernel is first.

What is causing the tainted kernel?

If you have a tainted kernel, it will typically show up in the output of dmesg and starts with ‘Tainted:’ followed by some letter(s). Use the lookup table below to find the related cause.

BitLetterNumber valueReason
0G/P1Proprietary kernel module loaded
1F2Kernel module was force loaded
2S4SMP kernel oops on officially SMP incapable processor
3R8Kernel module force unloaded
4M16Processor reported a Machine Check Exception
5B32Bad page referenced or some unexpected page flags
6U64Taint requested by user space application
7D128Kernel died recently (OOPS, bug)
8A256ACPI table overridden by user
9W512Kernel issued warning
10C1024Staging driver loaded
11I2048Workaround for bug in platform firmware applied
12O4096Externally-built kernel module loaded
13E8192Unsigned module loaded
14L16384Soft lockup occurred
15K32768Kernel live patched
16X65536Auxiliary taint, defined for and used by Linux distributions
17T131072Kernel was built with the struct randomization plugin

Source: kernel.org

Another option is to check the value of /proc/sys/kernel/tainted. This numeric value is easy to lookup in the table if there is just a single cause. When there are multiple causes, like a live patched kernel already experienced a serious issue, then it may be harder to find. In that case, run the following script.

for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

This for-loop will show each bit. The bits with the value of ‘1’ then can be looked up. If bit 1 and 15 show up, it was a live patch (15) and also kernel module that was loaded (forced).

Related sysctl keys


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon