As you can see in my original post:
Yes, it is indeed calling tegra_channel_error_recover.
A look at the source suggests that deep inside that call, destroy_buffer_table is called with tab = NULL (since then &tab->hlock yields 16, and the access violation happens at address 16).
This implies that in vi_capture_shutdown, capture->buf_ctx is NULL. I don’t understand enough of how that code is supposed to work to understand why; but I think that is where whoever wrote it should have a look.