Introduction

The Linux kernel tracks whether it is running only mainline, upstream-tested code through a taint mechanism. Loading an out-of-tree module (one not included in the official kernel source tree) sets the O taint flag. This is a warning, not an error - the module will load and function normally. However, it signals to kernel developers that the kernel state cannot be fully trusted for debugging, and some vendors may refuse support on tainted kernels.

Symptoms

  • dmesg shows module_name: out-of-tree module taints kernel
  • cat /proc/sys/kernel/tainted shows a value with bit 18 set (262144)
  • uname -v or bug reports show Tainted: O or Tainted: OE
  • Vendor support request asks to reproduce on an untainted kernel
  • Kernel lockdep debugging disabled due to taint

Common Causes

  • DKMS-built modules (VirtualBox, ZFS on Linux, WireGuard older versions)
  • Third-party drivers not yet merged into mainline kernel
  • Custom kernel patches applied by the distribution or administrator
  • Proprietary drivers from hardware vendors (networking, storage, GPU)
  • Staging drivers promoted to use but still flagged as out-of-tree

Step-by-Step Fix

  1. 1.Check taint flags and identify the source:
  2. 2.```bash
  3. 3.cat /proc/sys/kernel/tainted
  4. 4.dmesg | grep -i "out-of-tree|taint"
  5. 5.# Lists each module that caused tainting
  6. 6.`
  7. 7.List all out-of-tree loaded modules:
  8. 8.```bash
  9. 9.# Compare loaded modules against the kernel source tree
  10. 10.for mod in $(lsmod | awk 'NR>1 {print $1}'); do
  11. 11.modinfo $mod 2>/dev/null | grep -q "intree: Y" || echo "OUT-OF-TREE: $mod"
  12. 12.done
  13. 13.`
  14. 14.Assess whether the tainted module is necessary:
  15. 15.```bash
  16. 16.# Check what functionality the module provides
  17. 17.modinfo zfs | head -10
  18. 18.modinfo vboxdrv | head -10

# Check if an in-tree alternative exists modinfo btrfs # Instead of zfs for advanced filesystem features modinfo kvm # Instead of vboxdrv for virtualization ```

  1. 1.Remove the out-of-tree module if an alternative exists:
  2. 2.```bash
  3. 3.# Remove ZFS and switch to ext4/xfs/btrfs
  4. 4.sudo dkms remove zfs/2.2.0 --all
  5. 5.sudo apt purge zfsutils-linux

# Remove VirtualBox kernel modules if using KVM instead sudo dkms remove vboxhost/7.0.0 --all sudo systemctl enable libvirtd ```

  1. 1.If the module is required, document the taint for support purposes:
  2. 2.```bash
  3. 3.# Create a taint report
  4. 4.{
  5. 5.echo "Kernel: $(uname -r)"
  6. 6.echo "Tainted value: $(cat /proc/sys/kernel/tainted)"
  7. 7.echo "Tainted modules:"
  8. 8.dmesg | grep -i taint
  9. 9.echo "Out-of-tree modules:"
  10. 10.for mod in $(lsmod | awk 'NR>1 {print $1}'); do
  11. 11.modinfo $mod 2>/dev/null | grep -q "intree: Y" || echo " $mod"
  12. 12.done
  13. 13.} > /tmp/kernel-taint-report.txt
  14. 14.`
  15. 15.Verify kernel functionality is stable despite taint:
  16. 16.```bash
  17. 17.# Monitor for kernel warnings or errors
  18. 18.dmesg -l err,warn | tail -20
  19. 19.journalctl -k --since "1 hour ago" -p warning
  20. 20.`

Prevention

  • Prefer in-tree drivers over out-of-tree alternatives when possible
  • Monitor the mainline kernel merge window for out-of-tree modules being accepted upstream
  • Test new kernel versions with your out-of-tree modules before production deployment
  • Document all out-of-tree modules and their business justification
  • For vendor support cases, proactively disclose taint status and be prepared to reproduce on clean kernel