This is described pretty well in the paper, but briefly: the "race condition" which they exploit happens because the CPU speculatively (and incorrectly) thinks it acquired a lock. Multiple threads being in a critical section can be exploitable and lead to arbitrary read/write and malicious code execution (one case demonstrated in the paper is some random NFC function). The researchers abuse the fact that the critical section can be entered speculatively to gain speculative malicious code execution, which they then use to construct a gadget which leaks arbitrary kernel memory into side channels.