diff --git a/README.adoc b/README.adoc
index 839a567e..16a91cf2 100644
--- a/README.adoc
+++ b/README.adoc
@@ -74,9 +74,10 @@ git clone https://github.com/cirosantilli/linux-kernel-module-cheat
 cd linux-kernel-module-cheat
 ./configure --qemu && \
 ./build-qemu       && \
-./build-buildroot  && \
 ./build-linux      && \
 ./build-modules    && \
+./build-userland   && \
+./build-buildroot  && \
 ./run
 ....
 
@@ -100,7 +101,15 @@ see this: https://askubuntu.com/questions/496549/error-you-must-put-some-source-
 
 It does not work if you just download the `.zip` from GitHub because we use link:.gitmodules[Git submodules], you must clone this repo. `./configure` then fetches only the required submodules for you.
 
-QEMU opens up and you can start playing with the kernel modules inside the simulated system: TODO fix path to 9p:
+The order of build commands matters:
+
+* `./build-linux` must come before `./build-modules` because the kernel modules depend on the Linux kernel build. We could lessen this need by calling `make modules_prepare` on the kernel tree, which does not require a full build, but this is not currently done
+* `./build-modules` and `./build-userland` must come before `./build-buildroot` because generate files that will be placed in the root filesystem. If you don't call them before, the generated files will not be in the root filesystem.
+* `build-qemu` must come before `./build-buildroot` because it builds the `qemu-img` tool that we use to convert the raw disk image into link:https://en.wikipedia.org/wiki/Qcow[qcow2] format that QEMU boots from in our setup
+
+If you mess up the order, just build things again in the right order and you will be fine.
+
+After `./run`, QEMU opens up and you can start playing with the kernel modules inside the simulated system:
 
 ....
 insmod /hello.ko
diff --git a/build-buildroot b/build-buildroot
index acd9c1c9..b1715502 100755
--- a/build-buildroot
+++ b/build-buildroot
@@ -179,17 +179,24 @@ def main(args, extra_args=None):
             if not args.baseline:
                 buildroot_configs.extend([
                     'BR2_GLOBAL_PATCH_DIR="{}"'.format(
-                        path_relative_to_buildroot(os.path.join(common.root_dir, 'patches', 'global'))),
+                        path_relative_to_buildroot(os.path.join(common.root_dir, 'patches', 'global'))
+                    ),
                     'BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="{}"'.format(
-                        path_relative_to_buildroot(os.path.join(common.root_dir, 'busybox_config_fragment'))),
+                        path_relative_to_buildroot(os.path.join(common.root_dir, 'busybox_config_fragment'))
+                    ),
                     'BR2_PACKAGE_OVERRIDE_FILE="{}"'.format(
-                        path_relative_to_buildroot(os.path.join(common.root_dir, 'buildroot_override'))),
-                    'BR2_ROOTFS_OVERLAY="{}"'.format(
-                        path_relative_to_buildroot(common.rootfs_overlay_dir)),
+                        path_relative_to_buildroot(os.path.join(common.root_dir, 'buildroot_override'))
+                    ),
+                    'BR2_ROOTFS_OVERLAY="{} {}"'.format(
+                        path_relative_to_buildroot(common.rootfs_overlay_dir),
+                        path_relative_to_buildroot(common.out_rootfs_overlay_dir),
+                    ),
                     'BR2_ROOTFS_POST_BUILD_SCRIPT="{}"'.format(
-                        path_relative_to_buildroot(os.path.join(common.root_dir, 'rootfs-post-build-script'))),
+                        path_relative_to_buildroot(os.path.join(common.root_dir, 'rootfs-post-build-script'))
+                    ),
                     'BR2_ROOTFS_USERS_TABLES="{}"'.format(
-                        path_relative_to_buildroot(os.path.join(common.root_dir, 'user_table'))),
+                        path_relative_to_buildroot(os.path.join(common.root_dir, 'user_table'))
+                    ),
                 ])
                 if args.kernel_modules:
                     buildroot_configs.append('BR2_PACKAGE_LKMC=y')
diff --git a/rootfs_overlay/anonymous_inode.sh b/rootfs_overlay/anonymous_inode.sh
index d9c2aa75..630250f5 100755
--- a/rootfs_overlay/anonymous_inode.sh
+++ b/rootfs_overlay/anonymous_inode.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 set -e
-insmod /anonymous_inode.ko
+insmod anonymous_inode.ko
 [ "$(/anonymous_inode.out /sys/kernel/debug/lkmc_anonymous_inode 3)" = "$(printf '1\n10\n100')" ]
 rmmod anonymous_inode
diff --git a/rootfs_overlay/character_device.sh b/rootfs_overlay/character_device.sh
index e42a75d7..ba4105b0 100755
--- a/rootfs_overlay/character_device.sh
+++ b/rootfs_overlay/character_device.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
-insmod /character_device.ko
+insmod character_device.ko
 /mknoddev.sh lkmc_character_device
 [ "$(cat /dev/lkmc_character_device)" = 'abcd' ]
 rm /dev/lkmc_character_device
diff --git a/rootfs_overlay/character_device_create.sh b/rootfs_overlay/character_device_create.sh
index 2a9259b9..1bc31b18 100755
--- a/rootfs_overlay/character_device_create.sh
+++ b/rootfs_overlay/character_device_create.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
-insmod /character_device_create.ko
+insmod character_device_create.ko
 dev='/dev/lkmc_character_device_create_dev'
 [ "$(cat "$dev")" = abcd ]
 rmmod character_device_create
diff --git a/rootfs_overlay/debugfs.sh b/rootfs_overlay/debugfs.sh
index 07eac5a6..563d4408 100755
--- a/rootfs_overlay/debugfs.sh
+++ b/rootfs_overlay/debugfs.sh
@@ -3,7 +3,7 @@ set -e
 d=/debugfs
 mkdir -p "$d"
 mount -t debugfs none "$d"
-insmod /debugfs.ko
+insmod debugfs.ko
 [ "$(cat "${d}/lkmc_debugfs/myfile")" = 42 ]
 echo 13 > "${d}/lkmc_debugfs/myfile"
 [ "$(cat "${d}/lkmc_debugfs/myfile")" = 13 ]
diff --git a/rootfs_overlay/dep.sh b/rootfs_overlay/dep.sh
index bd4013be..9f2944f5 100755
--- a/rootfs_overlay/dep.sh
+++ b/rootfs_overlay/dep.sh
@@ -3,8 +3,8 @@ set -e
 f=/sys/kernel/debug/lkmc_dep
 f2=/sys/kernel/debug/lkmc_dep2
 
-insmod /dep.ko
-insmod /dep2.ko
+insmod dep.ko
+insmod dep2.ko
 
 # Initial value.
 [ "$(cat "$f")" = 0 ]
@@ -20,8 +20,8 @@ printf 2 > "$f"
 # sysfs shows us that the module has dependants.
 [ "$(cat /sys/module/dep/refcnt)" = 1 ]
 [ "$(ls /sys/module/dep/holders)" = dep2 ]
-rmmod /dep2.ko
+rmmod dep2.ko
 [ "$(cat /sys/module/dep/refcnt)" = 0 ]
 [ -z "$(ls /sys/module/dep/holders)" ]
 
-rmmod /dep.ko
+rmmod dep.ko
diff --git a/rootfs_overlay/eval.sh b/rootfs_overlay/eval.sh
index 18128ea0..2fe7ccd6 100755
--- a/rootfs_overlay/eval.sh
+++ b/rootfs_overlay/eval.sh
@@ -11,7 +11,7 @@ eval "$lkmc_eval"
 # However, the kernel CLI parsing is crap, and the 4.14 docs lie.
 #
 # In particular, not all that is passed after "-" goes to an argument to init,
-# e.g. stuff with dots like "- /poweroff.out" still gets treated specially and
+# e.g. stuff with dots like "- ./poweroff.out" still gets treated specially and
 # does not go to init.
 #
 # This also likely means that the above solution is also unreliable in some cases,
diff --git a/rootfs_overlay/fops.sh b/rootfs_overlay/fops.sh
index 1c8f5b0d..61335ed6 100755
--- a/rootfs_overlay/fops.sh
+++ b/rootfs_overlay/fops.sh
@@ -3,7 +3,7 @@ set -e
 
 # Setup
 f=/sys/kernel/debug/lkmc_fops
-insmod /fops.ko
+insmod fops.ko
 
 # read
 [ "$(cat "$f")" = abcd ]
diff --git a/rootfs_overlay/init_module.sh b/rootfs_overlay/init_module.sh
index 79359a16..4babd6a5 100755
--- a/rootfs_overlay/init_module.sh
+++ b/rootfs_overlay/init_module.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 set -e
-insmod /init_module.ko
+insmod init_module.ko
 rmmod init_module
diff --git a/rootfs_overlay/ioctl.sh b/rootfs_overlay/ioctl.sh
index 16ed9c68..095b9edc 100755
--- a/rootfs_overlay/ioctl.sh
+++ b/rootfs_overlay/ioctl.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 f=/sys/kernel/debug/lkmc_ioctl
-insmod /ioctl.ko
+insmod ioctl.ko
 [ "$(/ioctl.out "$f" 0 1)" = 2 ]
 [ "$(/ioctl.out "$f" 1 1 1)" = '2 0' ]
 rmmod ioctl
diff --git a/rootfs_overlay/kgdb-mod.sh b/rootfs_overlay/kgdb-mod.sh
index d96a5b4b..11eafa48 100755
--- a/rootfs_overlay/kgdb-mod.sh
+++ b/rootfs_overlay/kgdb-mod.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-insmod /fops.ko
+insmod fops.ko
 cd /sys/kernel/debug/lkmc_fops
 i=0
 while true; do
diff --git a/rootfs_overlay/kstrto.sh b/rootfs_overlay/kstrto.sh
index c6121d0b..6e52952b 100755
--- a/rootfs_overlay/kstrto.sh
+++ b/rootfs_overlay/kstrto.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 f=/sys/kernel/debug/lkmc_kstrto
-insmod /kstrto.ko
+insmod kstrto.ko
 printf 123 > "$f"
 [ "$(cat "$f")" = 124 ]
 echo foobar > "$f" && exit 1
diff --git a/rootfs_overlay/mmap.sh b/rootfs_overlay/mmap.sh
index d993f106..d09e3668 100755
--- a/rootfs_overlay/mmap.sh
+++ b/rootfs_overlay/mmap.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 set -e
-insmod /mmap.ko
-/mmap.out /proc/lkmc_mmap 2>&1 1>/dev/null
-rmmod /mmap.ko
+insmod mmap.ko
+./mmap.out /proc/lkmc_mmap 2>&1 1>/dev/null
+rmmod mmap.ko
diff --git a/rootfs_overlay/netlink.sh b/rootfs_overlay/netlink.sh
index 9d4c0a50..0698d790 100755
--- a/rootfs_overlay/netlink.sh
+++ b/rootfs_overlay/netlink.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
-insmod /netlink.ko
+insmod netlink.ko
 [ "$(/netlink.out)" = 0 ]
 [ "$(/netlink.out)" = 1 ]
 [ "$(/netlink.out)" = 2 ]
diff --git a/rootfs_overlay/params.sh b/rootfs_overlay/params.sh
index 870d684f..57e1c84c 100755
--- a/rootfs_overlay/params.sh
+++ b/rootfs_overlay/params.sh
@@ -5,7 +5,7 @@ i="${d}/i"
 j="${d}/j"
 f=/sys/kernel/debug/lkmc_params
 
-insmod /params.ko
+insmod params.ko
 [ "$(cat "$i")" = 0 ]
 [ "$(cat "$j")" = 0 ]
 [ "$(cat "$f")" = '0 0' ]
@@ -15,6 +15,6 @@ printf 2 > "$j"
 [ "$(cat "$f")" = '1 2' ]
 rmmod params
 
-insmod /params.ko i=3 j=4
+insmod params.ko i=3 j=4
 [ "$(cat "$f")" = '3 4' ]
 rmmod params
diff --git a/rootfs_overlay/pmccntr.sh b/rootfs_overlay/pmccntr.sh
index e874f583..573d3ebf 100755
--- a/rootfs_overlay/pmccntr.sh
+++ b/rootfs_overlay/pmccntr.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
-insmod /pmccntr.ko
+insmod pmccntr.ko
 cd /sys/kernel/debug
 cat lkmc_pmccntr
diff --git a/rootfs_overlay/poll.sh b/rootfs_overlay/poll.sh
index 749cdddb..d7586b41 100755
--- a/rootfs_overlay/poll.sh
+++ b/rootfs_overlay/poll.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 set -e
-insmod /poll.ko
-/poll.out /sys/kernel/debug/lkmc_poll
+insmod poll.ko
+./poll.out /sys/kernel/debug/lkmc_poll
 #rmmod poll
diff --git a/rootfs_overlay/procfs.sh b/rootfs_overlay/procfs.sh
index 208bd8bc..6e59be9e 100755
--- a/rootfs_overlay/procfs.sh
+++ b/rootfs_overlay/procfs.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 set -e
-insmod /procfs.ko
+insmod procfs.ko
 [ "$(cat "/proc/lkmc_procfs")" = abcd ]
 rmmod procfs
diff --git a/rootfs_overlay/qemu_edu.sh b/rootfs_overlay/qemu_edu.sh
index 321ba5eb..a03495b5 100755
--- a/rootfs_overlay/qemu_edu.sh
+++ b/rootfs_overlay/qemu_edu.sh
@@ -10,7 +10,7 @@ lspci -k
 cat /proc/interrupts
 
 # Setup.
-insmod /pci.ko
+insmod pci.ko
 /mknoddev.sh lkmc_pci
 
 # Shows that this module owns the PCI device.
diff --git a/rootfs_overlay/rand_check_poweroff.sh b/rootfs_overlay/rand_check_poweroff.sh
index d79fdef4..6940b62a 100755
--- a/rootfs_overlay/rand_check_poweroff.sh
+++ b/rootfs_overlay/rand_check_poweroff.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -ex
-/rand_check.out
+./rand_check.out
 
 # Check if network is being replayed.
 # https://superuser.com/questions/635020/how-to-know-current-time-from-internet-from-command-line-in-linux
@@ -9,4 +9,4 @@ set -ex
 
 # busybox's poweroff panics, TODO why. Likely tries to kill shell.
 # So just use our super raw command.
-/poweroff.out
+./poweroff.out
diff --git a/rootfs_overlay/seq_file.sh b/rootfs_overlay/seq_file.sh
index 88b4dc41..a245563f 100755
--- a/rootfs_overlay/seq_file.sh
+++ b/rootfs_overlay/seq_file.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 f=/sys/kernel/debug/lkmc_seq_file
-insmod /seq_file.ko
+insmod seq_file.ko
 [ "$(cat "$f")" = "$(printf '0\n1\n2\n')" ]
 [ "$(cat "$f")" = "$(printf '0\n1\n2\n')" ]
 [ "$(dd if="$f" bs=1 count=2 skip=0 status=none)" = "$(printf '0\n')" ]
diff --git a/rootfs_overlay/seq_file_single_open.sh b/rootfs_overlay/seq_file_single_open.sh
index f504a57c..77fa9483 100755
--- a/rootfs_overlay/seq_file_single_open.sh
+++ b/rootfs_overlay/seq_file_single_open.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 f=/sys/kernel/debug/lkmc_seq_file_single_open
-insmod /seq_file_single_open.ko
+insmod seq_file_single_open.ko
 [ "$(cat "$f")" = "$(printf 'ab\ncd\n')" ]
 [ "$(dd if="$f" bs=1 count=3 skip=1)" = "$(printf "b\nc\n")" ]
 rmmod seq_file_single_open
diff --git a/rootfs_overlay/sysfs.sh b/rootfs_overlay/sysfs.sh
index 397af987..b54eba2f 100755
--- a/rootfs_overlay/sysfs.sh
+++ b/rootfs_overlay/sysfs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
-insmod /sysfs.ko
+insmod sysfs.ko
 f=/sys/kernel/lkmc_sysfs/foo
 # write
 printf 12345 > "$f"
diff --git a/rootfs_overlay/uio_read.sh b/rootfs_overlay/uio_read.sh
index 459cdcaa..499b8741 100755
--- a/rootfs_overlay/uio_read.sh
+++ b/rootfs_overlay/uio_read.sh
@@ -4,9 +4,9 @@ set -e
 modprobe uio_pci_generic
 # pci_min device
 echo '1234 11e9' > /sys/bus/pci/drivers/uio_pci_generic/new_id
-/uio_read.out &
+./uio_read.out &
 # Helper to observe interrupts.
-insmod /irq.ko
+insmod irq.ko
 base="$(setpci -d 1234:11e9 BASE_ADDRESS_0)"
 # Start generating interrupt.
 devmem "0x${base}" w 0x12345678
diff --git a/rootfs_overlay/vermagic.sh b/rootfs_overlay/vermagic.sh
index d04cacd5..ae3d12fe 100755
--- a/rootfs_overlay/vermagic.sh
+++ b/rootfs_overlay/vermagic.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 set -e
-insmod /vermagic.ko
+insmod vermagic.ko
 rmmod vermagic
diff --git a/rootfs_overlay/virt_to_phys.sh b/rootfs_overlay/virt_to_phys.sh
index 550f83ec..18ab2f92 100755
--- a/rootfs_overlay/virt_to_phys.sh
+++ b/rootfs_overlay/virt_to_phys.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -ex
-insmod /virt_to_phys.ko
+insmod virt_to_phys.ko
 cd /sys/kernel/debug
 cat lkmc_virt_to_phys
 # k = 0x12345678