The DMA buffer points to the heap.

The USB controller has access to it, but it only increments it and decrements.

By sending multiple packets that are smaller than typical, we can trick the USB controller to decrement the base pointer by more than it should, getting to underflow.

It so happens that on A12, the DMA buffer is after the USB task stack, so getting it to decrement by enough will get it to point to the task stack, where we can then write to LR and control where some function on the stack will eventually return to.