How do I tell what modules taint the kernel, on a running system?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 9 (RHEL 9)
  • Red Hat Enterprise Linux 8 (RHEL 8)
  • Red Hat Enterprise Linux 7 (RHEL 7)
  • Red Hat Enterprise Linux 6 (RHEL 6)
  • Red Hat Enterprise Linux 5 (RHEL 5)

Issue

The logs indicate that the kernel is tainted. How can it be determined which modules are tainting the kernel?

Resolution

  • RHEL 7 and later (see "This content is not included.sys_module" documentation):

        >> Method 1:

    # grep -Hv "zzz"  /sys/module/*/taint | grep -v ":$"
    /sys/module/zavl/taint:POE
    /sys/module/zcommon/taint:POE
    /sys/module/zfs/taint:POE
    /sys/module/zlua/taint:OE

    >> Method 2: a more complex command can detect if 'intree' attribute is present in the loaded modules.

    # while read modname junk; do modinfo $modname | grep intree >/dev/null || echo $modname; done </proc/modules

  • RHEL 5 and 6, grep for lines that in /proc/modules that contain parentheses.

    # grep "(" /proc/modules
falcon_lsm_serviceable 1286290 1 - Live 0xffffffffa0428000 (P)
falcon_nf_netcontain 7631 1 - Live 0xffffffffa0423000 (P)later:

  • On any version, search /var/log/dmesg and /var/log/messages* files for taint references:

        >> RHEL7 or later:

    $ grep -i taint /var/log/*mes* -C 3
    /var/log/dmesg:[   10.571560] deadman: loading out-of-tree module taints kernel.
    /var/log/dmesg-[   10.571985] Deadman: 2.30 minor: 60

    >> RHEL 5 6:

    $ grep -i taint /var/log/*mes* -C 3
    /var/log/messages-20221113:Mar 26 00:57:52 hostname kernel: falcon_nf_netcontain: module license 'Proprietary' taints kernel.
    /var/log/messages-20221113:Mar 26 00:57:52 hostname kernel: Disabling lock debugging due to kernel taint
    /var/log/messages-20221113:Mar 26 01:11:18 hostname kernel: falcon_nf_netcontain: module license 'Proprietary' taints kernel.
     var/log/messages-20221113:Mar 26 01:11:18 hostname kernel: Disabling lock debugging due to kernel taint

Root Cause

To better understand the concept of "taint" and the meaning of each flag, please refer to the following solution:
"Why is the kernel "tainted" and how are the taint values deciphered?"

  • On RHEL 7 and later:

    • The letters at the end of the lines within /proc/module/*/tainted files contain information about the tainting of the kernel due to this module.
    • The taint flags can be any combination of P, O, F, C, E, r, H, T; representing Proprietary, Out-of-tree, Forced, Crap (non-production/staging build module), Unsigned, removed, Hardware, and Tech preview causes for tainting.

  • On RHEL 5 and RHEL 6:

    • The parenthesis enclosed characters at the end of lines in /proc/modules file contain information about the tainting of kernel modules. The full format is modulename size refcount deps address (taint-flags).
    • The taint flags can be any combination of P, F, U, and T; representing Proprietary, Forced, Unsigned, and Tech-preview causes for tainting.
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.