I've a x86 multi-arch initramfs containing a 64 bit init as /sbin/init and a 32 bit version as /bin/init. Also I've an empty text file /init (non-executable) to pass the check in init/main.c:kernel_init() to not call prepare_namespace() (otherwise booting would be impossible because the kernel complains not to find its rootfs).

This setup should be bootable with either a 64 bit kernel with no compat support and also with a plain 32 bit kernel because the hardcoded list in init/main.c:init_post() should make /sbin/init succeed on the 64 bit kernel and make it fail, but skip over to /bin/init on a 32 bit kernel. The latter doesn't happen because the failed execution attempt of /sbin/init changed the address limit from KERNEL_DS to USER_DS in fs/exec.c:search_binary_handler() so all references to the filenames ("/etc/init", "/bin/init" and "/bin/sh") won't be allowed because they life in kernelland not userland.

Patch for this bug is available at [1] but nobody seemed to care so far :(

[1] http://marc.info/?l=linux-kernel&m=130677271530393&w=2