For the bug details see the writeup.
The overwrite in packetbuf_aligned leads to a corruption of the immediately following ip_processor_list_list.
Later the corrupted value is used in netstack_process_ip_callback.
Here the value is loaded to r4 and then accessed.
The register dump shows that the fuzzer generated a valid mmio address for this value.
Then a pointer is read from this address, saved to r3 and then used as target for a indirekt branch.
But this address is not valid and thus crashes the firmware execution.