For the bug details see the writeup.
Due to the dangling state reference a invalid target address is passed to atomic_set_bit_to which forwards it to atomic_or.
There the address is moved to r3 and accessed.
The register dump shows that this is not a valid memory address.
As the memory access is performed with an exclusive load instruction a UsageFault occurs instead of the usual HardFault.