on my android 5.0 , APQ8084 chip (SAMSUNG N9150), all pages have the same physical address in a 4MB chunk, why?
[FLIP] i:0xb6800000 l:4194304 v:0xb68621b4 p:0xbf0541b4 b: 8628 0x00000000 != 0x00000001 s:1478153785
[FLIP] i:0xb6800000 l:4194304 v:0xb68620ed p:0xbf0540ed b: 8429 0xffffffff != 0xfffffbff s:1478153785
[FLIP] i:0xb6800000 l:4194304 v:0xb6862a21 p:0xbf054a21 b:10785 0xffffffff != 0xfffffbff s:1478153785
[FLIP] i:0xb6800000 l:4194304 v:0xb68618c7 p:0xbf0548c7 b: 6343 0xffffffff != 0xefffffff s:1478153786
[FLIP] i:0xb6800000 l:4194304 v:0xb6862866 p:0xbf054866 b:10342 0xffffffff != 0xffefffff s:1478153786!
[FLIP] i:0xb6800000 l:4194304 v:0xb68678f7 p:0xbf0548f7 b:30967 0x00000000 != 0x80000000 s:1478153787
[FLIP] i:0xb6800000 l:4194304 v:0xb686611c p:0xbf05411c b:24860 0xffffffff != 0xffffffbf s:1478153787
[FLIP] i:0xb6800000 l:4194304 v:0xb686902e p:0xbf05402e b:36910 0x00000000 != 0x00040000 s:1478153789
[FLIP] i:0xb6800000 l:4194304 v:0xb6869140 p:0xbf054140 b:37184 0x00000000 != 0x00000080 s:1478153789
[FLIP] i:0xb6800000 l:4194304 v:0xb686aa55 p:0xbf054a55 b:43605 0x00000000 != 0x00001000 s:1478153789
[FLIP] i:0xb6800000 l:4194304 v:0xb6868946 p:0xbf054946 b:35142 0xffffffff != 0xffdfffff s:1478153789!
[FLIP] i:0xb6800000 l:4194304 v:0xb686e96f p:0xbf05496f b:59759 0xffffffff != 0x7fffffff s:1478153791
[FLIP] i:0xb6800000 l:4194304 v:0xb687189c p:0xbf05489c b:71836 0xffffffff != 0xffffffef s:1478153793
[FLIP] i:0xb6800000 l:4194304 v:0xb6871258 p:0xbf054258 b:70232 0xffffffff != 0xfffffff7 s:1478153794
[FLIP] i:0xb6800000 l:4194304 v:0xb687220b p:0xbf05420b b:74251 0xffffffff != 0xfeffffff s:1478153794
[FLIP] i:0xb6800000 l:4194304 v:0xb68772b7 p:0xbf0542b7 b:94903 0xffffffff != 0xfdffffff s:1478153796
[FLIP] i:0xb6800000 l:4194304 v:0xb687b111 p:0xbf054111 b:110865 0x00000000 != 0x00004000 s:1478153797
[FLIP] i:0xb6800000 l:4194304 v:0xb687c877 p:0xbf054877 b:116855 0xffffffff != 0xfbffffff s:1478153800
[FLIP] i:0xb6800000 l:4194304 v:0xb687c8ee p:0xbf0548ee b:116974 0xffffffff != 0xffbfffff s:1478153800
[FLIP] i:0xb6800000 l:4194304 v:0xb687e3fe p:0xbf0543fe b:123902 0xffffffff != 0xff7fffff s:1478153800

I think get_phys_addr is correct. It gets PFN by reading pagemap.
The log says that in chunk 0xb6800000, there are many flips.Maybe there are flips in other chunks but is not tested.

Yes, nemozqqz is correct. The first address (following "i:") denotes the base address of the ION chunk in which the bit flip was observed. The actual physical address is "p:0x...".

the first line:
[FLIP] i:0xb6800000 l:4194304 v:0xb68621b4 p:0xbf0541b4 b: 8628 0x00000000 != 0x00000001 s:1478153785
and the last line:
[FLIP] i:0xb6800000 l:4194304 v:0xb687e3fe p:0xbf0543fe b:123902 0xffffffff != 0xff7fffff s:1478153800
the virtual address (v: ...) in different page, so the physical address(p: ...) should also in different page.
but they are in the same physcial page, both in p:0xbf054xxx

You are right, that is weird. I have seen similar issues on some devices when translating virtual to physical addresses. I suspect that ION pages are special, for some reason, but it could also be that there is a bug in https://github.com/vusec/drammer/blob/master/helper.h#L64

I am open for ideas :-)

I found that recent kernels no longer allow you to use /proc/self/pagemap to get the physical address of an ION chunk. Also, it seems that for some kernels, pagemap always returns the same physical address for any virtual address that falls in an ION chunk, which is exactly this issue. Without looking at the kernel code for the latter, I suspect that both issues are related.

There is no easy fix for this. You could perhaps have a look at the code in the geometry branch which should take this issue into account. In general, it seems that only a kernel-module can give us the actual physical address...