diff --git a/README.adoc b/README.adoc
index 5234104..956b6e3 100644
--- a/README.adoc
+++ b/README.adoc
@@ -682,6 +682,8 @@ tmux just makes things even more fun by allowing us to see both terminals at onc
 
 === GDB step debug kernel module
 
+http://stackoverflow.com/questions/28607538/how-to-debug-linux-kernel-modules-with-qemu/44095831#44095831
+
 Loadable kernel modules are a bit trickier since the kernel can place them at different memory locations depending on load order.
 
 So we cannot set the breakpoints before `insmod`.
@@ -730,8 +732,6 @@ Just don't forget to remove your breakpoints after `rmmod`, or they will point t
 
 TODO: why does `break work_func` for `insmod kthread.ko` not break the first time I `insmod`, but breaks the second time?
 
-See also: http://stackoverflow.com/questions/28607538/how-to-debug-linux-kernel-modules-with-qemu/44095831#44095831
-
 ==== GDB module_init
 
 TODO find a convenient method.
@@ -2209,7 +2209,7 @@ Error occurred in Python command: Cannot access memory at address 0xbf00010c
 so we need to either:
 
 * <<gdb-module_init>>
-* <<kernel-module-trace-to-source-line>> post-mortem method
+* <<kernel-module-stack-trace-to-source-line>> post-mortem method
 
 [[dump_stack]]
 ==== dump_stack kernel module
diff --git a/kernel_module/pmccntr.c b/kernel_module/pmccntr.c
new file mode 100644
index 0000000..9246e41
--- /dev/null
+++ b/kernel_module/pmccntr.c
@@ -0,0 +1,81 @@
+/*
+ARM only.
+
+TODO not working.
+
+* https://stackoverflow.com/questions/40454157/is-there-an-equivalent-instruction-to-rdtsc-in-arm
+* https://stackoverflow.com/questions/31620375/arm-cortex-a7-returning-pmccntr-0-in-kernel-mode-and-illegal-instruction-in-u/31649809#31649809
+* https://blog.regehr.org/archives/794
+*/
+
+#include <linux/debugfs.h>
+#include <linux/errno.h> /* EFAULT */
+#include <linux/fs.h>
+#include <linux/module.h>
+#include <linux/printk.h> /* pr_info */
+#include <linux/seq_file.h> /* seq_read, seq_lseek, single_release */
+#include <linux/uaccess.h> /* copy_from_user, copy_to_user */
+#include <uapi/linux/stat.h> /* S_IRUSR */
+
+
+static struct dentry *debugfs_file;
+
+static int show(struct seq_file *m, void *v)
+{
+	u32 pmccntr;
+#if defined(__arm__)
+	/* Invalid aarch64 asm. */
+
+	/* TODO  Internal error: Oops - undefined instruction: 0 [#1] ARM */
+	/* Enable userland access to conter. */
+	/* PMUSERENR = 1 */
+	/*__asm__ __volatile__ ("mcr p15, 0, %0, c9, c14, 0" :: "r"(1));*/
+
+	/* TODO oops undefined instruction. */
+	/* PMCR.E (bit 0) = 1 */
+	/*__asm__ __volatile__ ("mcr p15, 0, %0, c9, c12, 0" :: "r"(1));*/
+
+	/* TODO oops undefined instruction. */
+	/* Enable counter. */
+	/* PMCNTENSET.C (bit 31) = 1 */
+	/*__asm__ __volatile__ ("mcr p15, 0, %0, c9, c12, 1" :: "r"(1 << 31));*/
+
+	/* Get counter value. */
+	__asm__ __volatile__ ("mrc p15, 0, %0, c15, c12, 1" : "=r" (pmccntr));
+#else
+	pmccntr = 0;
+#endif
+	seq_printf(m, "%8.8llX\n", (unsigned long long)pmccntr);
+	return 0;
+}
+
+static int open(struct inode *inode, struct file *file)
+{
+	return single_open(file, show, NULL);
+}
+
+static const struct file_operations fops = {
+	.llseek = seq_lseek,
+	.open = open,
+	.owner = THIS_MODULE,
+	.read = seq_read,
+	.release = single_release,
+};
+
+static int myinit(void)
+{
+	debugfs_file = debugfs_create_file("lkmc_pmccntr", S_IRUSR, NULL, NULL, &fops);
+	if (!debugfs_file) {
+		return -1;
+	}
+	return 0;
+}
+
+static void myexit(void)
+{
+	debugfs_remove(debugfs_file);
+}
+
+module_init(myinit)
+module_exit(myexit)
+MODULE_LICENSE("GPL");
diff --git a/kernel_module/user/README.adoc b/kernel_module/user/README.adoc
index 3f60d61..d2ee9ff 100644
--- a/kernel_module/user/README.adoc
+++ b/kernel_module/user/README.adoc
@@ -20,6 +20,7 @@ These programs can also be compiled and used on host.
 .... link:init_dev_kmsg.c[]
 .. link:uio_read.c[]
 .. link:rand_check.c[]
+.. link:rdtsc.c[]
 . Module tests
 .. link:anonymous_inode.c[]
 .. link:poll.c[]
diff --git a/kernel_module/user/rdtsc.c b/kernel_module/user/rdtsc.c
new file mode 100644
index 0000000..baf50c0
--- /dev/null
+++ b/kernel_module/user/rdtsc.c
@@ -0,0 +1,26 @@
+/*
+Only works in x86_64.
+
+- https://en.wikipedia.org/wiki/Time_Stamp_Counter
+- https://stackoverflow.com/questions/9887839/clock-cycle-count-wth-gcc/9887979
+*/
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(__i386__) || defined(__x86_64__)
+#include <x86intrin.h>
+#endif
+
+int main(void) {
+	uintmax_t val;
+#if defined(__i386__) || defined(__x86_64__)
+	/* https://stackoverflow.com/questions/9887839/clock-cycle-count-wth-gcc/9887979 */
+	val = __rdtsc();
+#else
+	val = 0;
+#endif
+	printf("%jx\n", val);
+	return EXIT_SUCCESS;
+}
diff --git a/rootfs_overlay/pmccntr.sh b/rootfs_overlay/pmccntr.sh
new file mode 100755
index 0000000..e874f58
--- /dev/null
+++ b/rootfs_overlay/pmccntr.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+insmod /pmccntr.ko
+cd /sys/kernel/debug
+cat lkmc_pmccntr
diff --git a/run b/run
index 77cc99f..52987dc 100755
--- a/run
+++ b/run
@@ -11,7 +11,9 @@ kgdb=false
 kvm=false
 # norandmaps: Don't use address space randomization. Equivalent to echo 0 > /proc/sys/kernel/randomize_va_space.
 # printk.time=y: log in format: "[time ] msg" for all printk messages.
-# nokaslr: https://unix.stackexchange.com/questions/397939/turning-off-kaslr-to-debug-linux-kernel-using-qemu-and-gdb
+# nokaslr:
+# - https://unix.stackexchange.com/questions/397939/turning-off-kaslr-to-debug-linux-kernel-using-qemu-and-gdb
+# - https://stackoverflow.com/questions/44612822/unable-to-debug-kernel-with-qemu-gdb/49840927#49840927
 #   Turned on by default since v4.12
 extra_append='nokaslr norandmaps printk.devkmsg=on printk.time=y'
 extra_append_after_dash=