rpi3b frame buffer segfault
Description of problem:
I'm compiling a series of bare metal Raspberry Pi labs for the RPi 3B.  One particular lab that I tried to compile and run, which makes use of the framebuffer, causes QEMU to segfault when trying to draw to the framebuffer.  It looks like the value of `dst` passed into `draw_line_s16` is bogus and this causes the segfault.  I'm not familiar enough with the code in QEMU to immediately know why `dst` is bogus.

The lab I'm trying to run (the code compiled to `kernel8.img`) is here: https://github.com/bztsrc/raspi3-tutorial/tree/master/09_framebuffer

A gdb stacktrace of the segfault is here:

```
Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>)
    at /home/rhett/qemu/include/ui/pixel_ops.h:46
46	    return (r << 16) | (g << 8) | b;
(gdb) bt
#0  0x00005555559580c0 in rgb_to_pixel32 (b=<optimized out>, g=<optimized out>, r=<optimized out>)
    at /home/rhett/qemu/include/ui/pixel_ops.h:46
#1  draw_line_src16
    (opaque=opaque@entry=0x7fffe84d1c30, dst=dst@entry=0x7fffe8235010 <error: Cannot access memory at address 0x7fffe8235010>, src=0x7fff94300004 "", src@entry=0x7fff94300000 "", width=639, width@entry=640, deststep=deststep@entry=0) at ../hw/display/bcm2835_fb.c:131
#2  0x0000555555953977 in framebuffer_update_display
    (ds=<optimized out>, mem_section=<optimized out>, cols=640, rows=480, src_width=1280, dest_row_pitch=2560, dest_col_pitch=0, invalidate=1, fn=0x555555957fe0 <draw_line_src16>, opaque=0x7fffe84d1c30, first_row=0x7fffffffdb90, last_row=0x7fffffffdb94)
    at ../hw/display/framebuffer.c:107
#3  0x0000555555957eeb in fb_update_display (opaque=0x7fffe84d1c30) at ../hw/display/bcm2835_fb.c:203
#4  0x00005555558a9146 in graphic_hw_update (con=0x555556b9bc00) at ../ui/console.c:230
#5  0x00005555558a7fea in dpy_refresh (s=0x5555571c6aa0) at ../ui/console.c:1842
#6  gui_update (opaque=opaque@entry=0x5555571c6aa0) at ../ui/console.c:165
#7  0x0000555556068ecd in timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:576
#8  timerlist_run_timers (timer_list=0x555556b15350) at ../util/qemu-timer.c:501
#9  0x00005555560690c0 in qemu_clock_run_timers (type=<optimized out>) at ../util/qemu-timer.c:672
#10 qemu_clock_run_all_timers () at ../util/qemu-timer.c:672
#11 0x0000555556064bf6 in main_loop_wait (nonblocking=nonblocking@entry=0) at ../util/main-loop.c:607
#12 0x0000555555b0a4f9 in qemu_main_loop () at ../softmmu/runstate.c:726
#13 0x000055555589ec74 in qemu_main (envp=0x0, argv=<optimized out>, argc=<optimized out>) at ../softmmu/main.c:36
#14 main (argc=<optimized out>, argv=<optimized out>) at ../softmmu/main.c:45
```
Steps to reproduce:
1. Clone the git repo for the labs I linked above
2. `cd raspi3-tutorial/09_framebuffer`
3. `make`
4. `make run`
5. Segfault

I have found this on QEMU 5.2, QEMU 7.0, and the bleeding edge of the github repo