For the bug details see the writeup.
The out-of-bounds access destroys some of the metadata of the packet buffer heap.
During allocation a invalid chunk address is dereferenced.
In this case the address is stored in r0 and the register dump shows that this address is not a valid memory region.