The function card_read in subsys/sd/sd_ops.c unlocks the &card->lock if the sdmmc_wait_ready operation fails.
It does so without having locked it first. It is locked by the caller once but also unlocked again after the card_read function call no matter the result. This means, that there is a code-path that would unlock it twice after having it locked only once.

Expected Fix: Remove the unlock call from card_read. It might be a forgotten line when refactoring.

The impact depends on what happens if a lock is unlocked one time too many. Might be Undefined Behavior.

Please let me know, if you need additional information. Thank you.

Edit: Apparently it will fail with -EINVAL.